Guides

Guides for using the Capsule and Capsule Proxy

1: Namespace Migration Across Tenants

Capsule does not care about the authentication strategy used in the cluster and all the Kubernetes methods of authentication are supported. The only requirement to use Capsule is to assign tenant users to the group defined by userGroups option in the CapsuleConfiguration, which defaults to capsule.clastix.io.

In the following guide, we’ll use Keycloak an Open Source Identity and Access Management server capable to authenticate users via OIDC and release JWT tokens as proof of authentication.

1 - Namespace Migration Across Tenants

A Step-by-Step Guide to Namespace Migration

Capsule relays on two components to associate given namespace with tenant.

Namespace’s OwnerReference.name pointing to the Tenant defintion
Namespace’s OwnerReference.uid pointing to the Tenant defintion

If a cluster administrator changes the Namespace by matching the other Tenant with the proper UID and name, the Namespace can be easily transferred.

kubectl get tenants

NAME    STATE    NAMESPACE QUOTA   NAMESPACE COUNT   NODE SELECTOR   AGE
solar   Active                     1                                 46s
wind    Active                     1                                 39s

Get tenant’s metadata.uid.

kubectl get tnt wind -o jsonpath='{.metadata.uid}'

0df8e9ee-5f6f-40a4-897d-b80d349ca36f%

While altering ownerReferences name is sufficient on its own, it’s highly recommended to edit the UID to match the output of the previous commands.

kubectl edit ns ns-foo

If everything is set correctly, the namespace will be correctly recognized as part of the new tenant.

kubectl get tenants

NAME    STATE    NAMESPACE QUOTA   NAMESPACE COUNT   NODE SELECTOR   AGE
solar   Active                     0                                 2m22s
wind    Active                     2                                 2m15s