Skip to content

Commit

Permalink
feat(docs): setup Gridsome for the website
Browse files Browse the repository at this point in the history
  • Loading branch information
93lucasp authored and prometherion committed Nov 6, 2021
1 parent 14f9686 commit 0acc2d2
Show file tree
Hide file tree
Showing 111 changed files with 25,054 additions and 149 deletions.
8 changes: 8 additions & 0 deletions docs/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
*.log
.cache
.DS_Store
src/.temp
node_modules
dist
.env
.env.*
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
26 changes: 13 additions & 13 deletions docs/dev-guide.md → docs/content/dev-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ A lightweight Kubernetes within your laptop can be very handy for Kubernetes-nat

#### By `k3d`

```sh
```shell
# Install K3d cli by brew in Mac, or your preferred way
$ brew install k3d

Expand All @@ -46,7 +46,7 @@ CONTAINER ID IMAGE COMMAND CREATED

#### By `kind`

```sh
```shell
# # Install kind cli by brew in Mac, or your preferred way
$ brew install kind

Expand Down Expand Up @@ -99,13 +99,13 @@ The `fork-clone-contribute-pr` flow is common for contributing to OSS projects l
Let's assume you've forked it into your GitHub namespace, say `myuser`, and then you can clone it with Git protocol.
Do remember to change the `myuser` to yours.

```sh
```shell
$ git clone [email protected]:myuser/capsule.git && cd capsule
```

It's a good practice to add the upsteam as the remote too so we can easily fetch and merge the upstream to our fork:

```sh
```shell
$ git remote add upstream https://github.com/clastix/capsule.git
$ git remote -vv
origin [email protected]:myuser/capsule.git (fetch)
Expand All @@ -116,7 +116,7 @@ upstream https://github.com/clastix/capsule.git (push)

## Build & deploy Capsule

```sh
```shell
# Download the project dependencies
$ go mod download

Expand Down Expand Up @@ -173,13 +173,13 @@ During development, we prefer that the code is running within our IDE locally, i

Such a setup can be illustrated as below diagram:

![Development Env](assets/dev-env.png)
![Development Env](./assets/dev-env.png)

To achieve that, there are some necessary steps we need to walk through, which have been made as a `make` target within our `Makefile`.

So the TL;DR answer is:

```sh
```shell
# If you haven't installed or run `make deploy` before, do it first
# Note: please retry if you saw errors
$ make deploy
Expand All @@ -196,7 +196,7 @@ This is a very common setup for typical Kubernetes Operator development so we'd

We need to scale the existing replicas of `capsule-controller-manager` to 0 to avoid reconciliation competition between the Pod(s) and the code running outside of the cluster, in our preferred IDE for example.

```sh
```shell
$ kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0
deployment.apps/capsule-controller-manager scaled
```
Expand All @@ -205,7 +205,7 @@ deployment.apps/capsule-controller-manager scaled

Running webhooks requires TLS, we can prepare the TLS key pair in our development env to handle HTTPS requests.

```sh
```shell
# Prepare a simple OpenSSL config file
# Do remember to export LAPTOP_HOST_IP before running this command
$ cat > _tls.cnf <<EOF
Expand Down Expand Up @@ -246,7 +246,7 @@ By default, the webhooks will be registered with the services, which will route

We need to _delegate_ the controllers' and webbooks' services to the code running in our IDE by patching the `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration`.

```sh
```shell
# Export your laptop's IP with the 9443 port exposed by controllers/webhooks' services
$ export WEBHOOK_URL="https://${LAPTOP_HOST_IP}:9443"

Expand Down Expand Up @@ -284,14 +284,14 @@ $ kubectl get ValidatingWebhookConfiguration capsule-validating-webhook-configur

Now we can run Capsule controllers with webhooks outside of the Kubernetes cluster:

```sh
```shell
$ export NAMESPACE=capsule-system && export TMPDIR=/tmp/
$ go run .
```

To verify that, we can open a new console and create a new Tenant:

```sh
```shell
$ kubectl apply -f - <<EOF
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
Expand Down Expand Up @@ -356,4 +356,4 @@ For example, if you're using [Visual Studio Code](https://code.visualstudio.com)
}
```

Please refer to [contributing.md](contributing.md) for more details while contributing.
Please refer to [contributing](/docs/contributing) for more details while contributing.
6 changes: 3 additions & 3 deletions docs/index.md → docs/content/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,6 @@

Currently, the Capsule ecosystem comprises the following:

* [Capsule Operator](./operator/overview.md)
* [Capsule Proxy](./proxy/overview.md)
* [Capsule Lens extension](./lens-extension/overview.md)
* [Capsule Operator](/docs/operator/overview)
* [Capsule Proxy](/docs/proxy/overview)
* [Capsule Lens extension](/docs/lens-extension/overview)
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ First, thanks for your interest in Capsule, any contribution is welcome!

The first step is to set up your local development environment.

Please follow the [Capsule Development Guide](dev-guide.md) for details.
Please follow the [Capsule Development Guide](/docs/dev-guide) for details.

## Code convention

Expand All @@ -22,7 +22,7 @@ You can easily check them issuing the _Make_ recipe `golint`.
golangci-lint run -c .golangci.yml
```

> Enabled linters and related options are defined in the [.golanci.yml file](../../.golangci.yml)
> Enabled linters and related options are defined in the [.golanci.yml file](https://github.com/clastix/capsule/blob/master/.golangci.yml)

### goimports

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ Users authenticated through an _OIDC token_ must have in their token:
]
```

The [hack/create-user.sh](../../hack/create-user.sh) can help you set up a dummy `kubeconfig` for the `alice` user acting as owner of a tenant called `oil`
The [hack/create-user.sh](https://github.com/clastix/capsule/blob/master/hack/create-user.sh) can help you set up a dummy `kubeconfig` for the `alice` user acting as owner of a tenant called `oil`

```bash
./hack/create-user.sh alice oil
Expand Down Expand Up @@ -107,4 +107,4 @@ Error from server (Forbidden): pods is forbidden: User "alice" cannot list resou
```

# What’s next
The Tenant Owners have full administrative permissions limited to only the namespaces in the assigned tenant. However, their permissions can be controlled by the Cluster Admin by setting rules and policies on the assigned tenant. See the [use cases](./use-cases/overview.md) page for more getting more cool things you can do with Capsule.
The Tenant Owners have full administrative permissions limited to only the namespaces in the assigned tenant. However, their permissions can be controlled by the Cluster Admin by setting rules and policies on the assigned tenant. See the [use cases](/docs/operator/use-cases/overview) page for more getting more cool things you can do with Capsule.
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Capsule Operator can be easily installed on a Managed Kubernetes Service. Since
- MutatingAdmissionWebhook
- ValidatingAdmissionWebhook

* [AWS EKS](./aws-eks.md)
* [AWS EKS](/docs/managed-kubernetes/aws-eks)
* CoAKS - Capsule over Azure Kubernetes Service
* Google Cloud GKE
* IBM Cloud
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
30 changes: 30 additions & 0 deletions docs/content/operator/mtb/sig-multitenancy-bench.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Meet the multi-tenancy benchmark MTB
Actually, there's no yet a real standard for the multi-tenancy model in Kubernetes, although the [SIG multi-tenancy group](https://github.com/kubernetes-sigs/multi-tenancy) is working on that. SIG multi-tenancy drafted a generic validation schema appliable to generic multi-tenancy projects. Multi-Tenancy Benchmarks [MTB](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks) are guidelines for multi-tenant configuration of Kubernetes clusters. Capsule is an open source multi-tenancy operator and we decided to meet the requirements of MTB.

> N.B. At the time of writing, the MTB is in development and not ready for usage. Strictly speaking, we do not claim official conformance to MTB, but just to adhere to the multi-tenancy requirements and best practices promoted by MTB.

|MTB Benchmark |MTB Profile|Capsule Version|Conformance|Notes |
|--------------|-----------|---------------|-----------|-------|
|[Block access to cluster resources](/docs/operator/mtb/block-access-to-cluster-resources)|L1|v0.1.0|✓|---|
|[Block access to multitenant resources](/docs/operator/mtb/block-access-to-multitenant-resources)|L1|v0.1.0|✓|---|
|[Block access to other tenant resources](/docs/operator/mtb/block-access-to-other-tenant-resources)|L1|v0.1.0|✓|MTB draft|
|[Block add capabilities](/docs/operator/mtb/block-add-capabilities)|L1|v0.1.0|✓|---|
|[Require always imagePullPolicy](/docs/operator/mtb/require-always-imagepullpolicy)|L1|v0.1.0|✓|---|
|[Require run as non-root user](/docs/operator/mtb/require-run-as-non-root-user)|L1|v0.1.0|✓|---|
|[Block privileged containers](/docs/operator/mtb/block-privileged-containers)|L1|v0.1.0|✓|---|
|[Block privilege escalation](/docs/operator/mtb/block-privilege-escalation)|L1|v0.1.0|✓|---|
|[Configure namespace resource quotas](/docs/operator/mtb/configure-namespace-resource-quotas)|L1|v0.1.0|✓|---|
|[Block modification of resource quotas](/docs/operator/mtb/block-modification-of-resource-quotas)|L1|v0.1.0|✓|---|
|[Configure namespace object limits](/docs/operator/mtb/configure-namespace-object-limits)|L1|v0.1.0|✓|---|
|[Block use of host path volumes](/docs/operator/mtb/block-use-of-host-path-volumes)|L1|v0.1.0|✓|---|
|[Block use of host networking and ports](/docs/operator/mtb/block-use-of-host-networking-and-ports)|L1|v0.1.0|✓|---|
|[Block use of host PID](/docs/operator/mtb/block-use-of-host-pid)|L1|v0.1.0|✓|---|
|[Block use of host IPC](/docs/operator/mtb/block-use-of-host-ipc)|L1|v0.1.0|✓|---|
|[Block use of NodePort services](/docs/operator/mtb/block-use-of-nodeport-services)|L1|v0.1.0|✓|---|
|[Require PersistentVolumeClaim for storage](/docs/operator/mtb/require-persistentvolumeclaim-for-storage)|L1|v0.1.0|✓|MTB draft|
|[Require PV reclaim policy of delete](/docs/operator/mtb/require-reclaim-policy-of-delete)|L1|v0.1.0|✓|MTB draft|
|[Block use of existing PVs](/docs/operator/mtb/block-use-of-existing-persistent-volumes)|L1|v0.1.0|✓|MTB draft|
|[Block network access across tenant namespaces](/docs/operator/mtb/block-network-access-across-tenant-namespaces)|L1|v0.1.0|✓|MTB draft|
|[Allow self-service management of Network Policies](/docs/operator/mtb/allow-self-service-management-of-network-policies)|L2|v0.1.0|✓|---|
|[Allow self-service management of Roles](/docs/operator/mtb/allow-self-service-management-of-roles)|L2|v0.1.0|✓|MTB draft|
|[Allow self-service management of Role Bindings](/docs/operator/mtb/allow-self-service-management-of-rolebindings)|L2|v0.1.0|✓|MTB draft|
10 changes: 10 additions & 0 deletions docs/content/operator/overview.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Kubernetes Operator

* [Getting Started](/docs/operator/getting-started)
* [Use Cases](/docs/operator/use-cases/overview)
* [SIG Multi-tenancy benchmark](/docs/operator/mtb/sig-multitenancy-bench)
* [Run on Managed Kubernetes Services](/docs/operator/managed-kubernetes/overview)
* [Monitoring Capsule](/docs/operator/monitoring)
* [References](/docs/operator/references)
* [Contributing](/docs/operator/contributing)

Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# Reference

* [Custom Resource Definition](#customer-resource-definition)
* [Capsule Configuration](#capsule-configuration)
* [Capsule Permissions](#capsule-permissions)
* [Admission Controllers](#admission-controller)
* [Command Options](#command-options)
* [Created Resources](#created-resources)
* [Custom Resource Definition](/docs/operator/references/#customer-resource-definition)
* [Capsule Configuration](/docs/operator/references/#capsule-configuration)
* [Capsule Permissions](/docs/operator/references/#capsule-permissions)
* [Admission Controllers](/docs/operator/references/#admission-controller)
* [Command Options](/docs/operator/references/#command-options)
* [Created Resources](/docs/operator/references/#created-resources)

## Custom Resource Definition

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,4 +49,4 @@ silver Active 2 3d13h

# What’s next

See how Bill, the cluster admin, can prevent creating services with specific service types. [Disabling Service Types](./service-type.md).
See how Bill, the cluster admin, can prevent creating services with specific service types. [Disabling Service Types](/docs/operator/use-cases/service-type).
Original file line number Diff line number Diff line change
Expand Up @@ -107,4 +107,4 @@ Error from server (Cannot exceed Namespace quota: please, reach out to the syste
The enforcement on the maximum number of namespaces per Tenant is the responsibility of the Capsule controller via its Dynamic Admission Webhook capability.

# What’s next
See how Alice, the tenant owner, can assign different user roles in the tenant. [Assign permissions](./permissions.md).
See how Alice, the tenant owner, can assign different user roles in the tenant. [Assign permissions](/docs/operator/use-cases/permissions).
Original file line number Diff line number Diff line change
Expand Up @@ -75,4 +75,4 @@ With the above example, Capsule is leaving the tenant owner to create namespaced
> Take Note: a tenant owner having the admin scope on its namespaces only, does not have the permission to create Custom Resources Definitions (CRDs) because this requires a cluster admin permission level. Only Bill, the cluster admin, can create CRDs. This is a known limitation of any multi-tenancy environment based on a single Kubernetes cluster.

# What’s next
See how Bill, the cluster admin, can set taints on Alice's namespaces. [Taint namespaces](./taint-namespaces.md).
See how Bill, the cluster admin, can set taints on Alice's namespaces. [Taint namespaces](/docs/operator/use-cases/taint-namespaces).
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,4 @@ EOF
Doing this, Alice will not be able to use `oil.bigorg.com`, being the tenant-owner of `gas`.

# What’s next
See how Bill, the cluster admin can protect specific labels and annotations on Nodes from modifications by Tenant Owners. [Denying specific user-defined labels or annotations on Nodes](./node-labels-and-annotations.md).
See how Bill, the cluster admin can protect specific labels and annotations on Nodes from modifications by Tenant Owners. [Denying specific user-defined labels or annotations on Nodes](/docs/operator/use-cases/node-labels-and-annotations).
Original file line number Diff line number Diff line change
Expand Up @@ -77,4 +77,4 @@ EOF
When a collision is detected at scope defined by `spec.ingressOptions.hostnameCollisionScope`, the creation of the Ingress resource will be rejected by the Validation Webhook enforcing it. When `hostnameCollisionScope=Disabled`, no collision detection is made at all.

# What’s next
See how Bill, the cluster admin, can assign a Storage Class to Alice's tenant. [Assign Storage Classes](./storage-classes.md).
See how Bill, the cluster admin, can assign a Storage Class to Alice's tenant. [Assign Storage Classes](/docs/operator/use-cases/storage-classes).
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,4 @@ Any attempt of Alice to use a disallowed `imagePullPolicies` value is denied by

# What’s next

See how Bill, the cluster admin, can assign trusted images registries to Alice's tenant. [Assign Trusted Images Registries](./images-registries.md).
See how Bill, the cluster admin, can assign trusted images registries to Alice's tenant. [Assign Trusted Images Registries](/docs/operator/use-cases/images-registries).
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ A Pod running `internal.registry.foo.tld/capsule:latest` as registry will be all
Any attempt of Alice to use a not allowed `containerRegistries` value is denied by the Validation Webhook enforcing it.

# What’s next
See how Bill, the cluster admin, can assign Pod Security Policies to Alice's tenant. [Assign Pod Security Policies](./pod-security-policies.md).
See how Bill, the cluster admin, can assign Pod Security Policies to Alice's tenant. [Assign Pod Security Policies](/docs/operator/use-cases/pod-security-policies).
Original file line number Diff line number Diff line change
Expand Up @@ -49,4 +49,4 @@ EOF
Any attempt of Alice to use a non-valid Ingress Class, or missing it, is denied by the Validation Webhook enforcing it.

# What’s next
See how Bill, the cluster admin, can assign a set of dedicated ingress hostnames to Alice's tenant. [Assign Ingress Hostnames](./ingress-hostnames.md).
See how Bill, the cluster admin, can assign a set of dedicated ingress hostnames to Alice's tenant. [Assign Ingress Hostnames](/docs/operator/use-cases/ingress-hostnames).
Original file line number Diff line number Diff line change
Expand Up @@ -50,4 +50,4 @@ EOF
Any attempt of Alice to use a non-valid hostname is denied by the Validation Webhook enforcing it.

# What’s next
See how Bill, the cluster admin, can control the hostname collision in Ingresses. [Control hostname collision in ingresses](./hostname-collision.md).
See how Bill, the cluster admin, can control the hostname collision in Ingresses. [Control hostname collision in ingresses](/docs/operator/use-cases//hostname-collision).
Original file line number Diff line number Diff line change
Expand Up @@ -91,4 +91,4 @@ EOF

# What’s next

See how Bill, the cluster admin, can cordon all the Namespaces belonging to a Tenant. [Cordoning a Tenant](./cordoning-tenant.md).
See how Bill, the cluster admin, can cordon all the Namespaces belonging to a Tenant. [Cordoning a Tenant](/docs/operator/use-cases/cordoning-tenant).
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,4 @@ EOF
```

# What’s next
Let's check it out how to restore Tenants after a Velero Backup. [Velero Backup Restoration](./velero-backup-restoration.md).
Let's check it out how to restore Tenants after a Velero Backup. [Velero Backup Restoration](/docs/operator/use-cases/velero-backup-restoration).
Original file line number Diff line number Diff line change
Expand Up @@ -99,4 +99,4 @@ kubectl -n oil-production delete networkpolicy production-network-policy
Any attempt of Alice to delete the tenant network policy defined in the tenant manifest is denied by the Validation Webhook enforcing it.

# What’s next
See how Bill can enforce the Pod containers image pull policy to `Always` to avoid leaking of private images when running on shared nodes. [Enforcing Pod containers image PullPolicy](./images-pullpolicy.md)
See how Bill can enforce the Pod containers image pull policy to `Always` to avoid leaking of private images when running on shared nodes. [Enforcing Pod containers image PullPolicy](/docs/operator/use-cases/images-pullpolicy)
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Denying specific user-defined labels or annotations on Nodes

When using `capsule` together with [capsule-proxy](https://github.com/clastix/capsule-proxy), Bill can allow Tenant Owners to [modify Nodes](../../proxy/overview.md).
When using `capsule` together with [capsule-proxy](https://github.com/clastix/capsule-proxy), Bill can allow Tenant Owners to [modify Nodes](/docs/proxy/overview).

By default, it will allow tenant owners to add and modify any label or annotation on their nodes.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,4 @@ no
```

# What’s next
See how Bill, the cluster admin, can assign an Ingress Class to Alice's tenant. [Assign Ingress Classes](./ingress-classes.md).
See how Bill, the cluster admin, can assign an Ingress Class to Alice's tenant. [Assign Ingress Classes](/docs/operator/use-cases/ingress-classes).
Loading

0 comments on commit 0acc2d2

Please sign in to comment.