Dynamic namespace management¶
In Kubernetes, the namespace is the unit for access control and resources control.
DSS can either use a single namespace, multiple static namespaces, or multiple dynamic namespaces. In the latter case, DSS will itself create namespaces dynamically depending on what is requested, which allows for isolation of security and resources.
For example, you may want to:
Create one namespace per user, in order to put limits on what the user can do
Create one namespace per project
Create one namespace per team
DSS leverages variables expansion for this. For example, to have one namespace per user, you can configure DSS to execute in namespace ns-${dssUserLogin}
. If user user1
runs something, DSS will expand this and run in namespace ns-user1
. If this namespace does not exist, DSS can create it on the fly (assuming DSS has been granted sufficient rights)
Namespace policies¶
DSS can automatically apply policies to the dynamic namespaces, notably resource quotas (in order to limit the total amount of computation/memory available to a namespace/user/team/project/…) and limit ranges (in order to set default resource control for computations running in the dynamic namespace).
In order to apply a namespace policy, go to Administration > Settings > Containerized execution, and add a namespace policy. Select a pattern (regular expression) for which namespaces it will apply to, and to which clusters it will apply (including saying if it should apply to the default unmanaged cluster).
Policies are applied each time DSS creates a namespace and can be applied manually by clicking the button.
Policy elements must be YAML representations of Kubernetes quota-level objects, such as ResourceQuota
or LimitRange
.
For more details, please see https://kubernetes.io/docs/concepts/policy/