-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFD - Start moving services into their own Kubernetes Namespaces #54
Comments
I do like this approach, and I would prefer we opted it as default behavior. We already have control over the services endpoint injection in each helm chart, as well as, the infra resources itself. So, we could have the existing deployment option default to single namespaces. |
Services accounts such as the jupyterhub one would possibly require access to the user's namespaces, so that would need to use some level of tagging system or similar if that exists. |
Copying over some internal discussion here.
|
On meeting today there was also a mention of whether this has an interaction with:
|
Start moving services into their own Kubernetes Namespaces
Summary
Services integrated into Nebari often suggest putting the service in it's own namespace when used with Kubernetes (e.g. Rook Ceph, Argo Workflows). Jupyterhub also has the option to put users in their own namespace. So far we've kept everything in a single namespace. The idea being that if someone wants to deploy Nebari into an existing Kubernetes cluster they can be assured that by default everything is deployed in a single namespace.
Benefit
Putting services and potentially users in their own namespaces brings some advantages around controlling resource limits on users. It also allows us to follow the best practices recommended by the services themselves.
It can also help with some aspects of RBAC permissions. E.g. All pods in a namespace have all the the permissions granted to the default service account (assuming automountServiceToken: true). This is a smaller benefit in my mind. We currently don't use the default service account.
Design Proposal
I propose we move Argo Workflows, Keycloak, Rook-Ceph, Monitoring (Prometheus/Grafana), potentially Jupyterhub each into their own namespaces. We should ensure the namespace is configurable so users could put everything in a single namespace if they wish, but by default we separate these things out.
Alternatives or approaches considered (if any)
Best practices
Services recommend being put in their own namespace. It also gives better resource controls on various services and potentially Nebari users.
User impact
Ideally none, there may be some special instructions/manual steps required around upgrading Nebari b/c of these changes.
Unresolved questions
The text was updated successfully, but these errors were encountered: