7.0 KiB
| title | weight |
|---|---|
| 快速开始引导 | 1 |
Objective
In this quickstart, as a cluster admin, you will learn how to create workspaces, roles and user accounts, and then invite new users into the workspace to create their projects and DevOps projects. This tutorial is used to help beginners to become familiar with multi-tenant management.
Prerequisites
- You need to install KubeSphere.
- You need a default admin account.
Hands-on Lab
Generally, the hierarchy relationship of Cluster, Workspace, Project and DevOps Project showing as the following graph, and there are common built-in roles existed in these orgnizations within each level.
Cluster Admin
The role of cluster-admin is able to create accounts for other users and assign roles to them. There are three common roles in cluster level, it also supports customizing new roles.
| Built-in Roles | Responsibility |
|---|---|
| cluster-admin | Have the highest privileges for the cluster, can manage any resources |
| workspaces-manager | The workspace managers, can manage all of the resources, e.g. projects, DevOps projects, members and roles |
| cluster-regular | The regular users in the cluster, they are not authorized until they have been invited to the workspace |
Step 1: Create roles and accounts
First, we will create a new role (user-manager), grants account management and role management authority to this role, then we will create an account and grant the user-manager role to this account.
| Account Name | Cluster Role | Responsibility |
|---|---|---|
| user-manager | user-manager | Manage cluster accounts and roles |
1.1 To get started, login KubeSphere with the admin account, click Platform and then navigate to Platform Roles page, click Create to create a role which is used to manage all accounts and roles.
1.2. Fill in the basic information and authority settings of the role, e.g. Name : user-manager.
1.3. Check all the boxes for both Account Management and Role Management, then click Create.
1.4. Click Platform, then navigate to Accounts page and click Create to create an account.
1.5. Fill in the basic information, notice that select user-manger as its role.
1.6. Log out and Sign in with the user-manager account, then navigate to Account and create 4 accounts according to the following table. Please reference the above steps to create these 4 accounts.
| Account Name | Cluster Role | Responsibility |
|---|---|---|
| ws-manager | workspaces-manager | Create and manage all workspaces |
| ws-admin | cluster-regular | Manage all resources under the specified workspace (This example is used to invite new members to join the workspace.) |
| project-admin | cluster-regular | Create and manage projects, DevOps projects, invite new members |
| project-regular | cluster-regular | The regular user will be invited to the project and DevOps project by the project-admin, we use this account to create workloads, pipelines and other resources under the specified project |
1.7. Verify the 4 accounts that we created in step 1.6.
Workspace Admin
Step 2: Create a Workspace
Workspace is the base of implementing the multi-tenant mechanism, it's also the base unit for projects and DevOps projects managment.
2.1. Sign in with ws-manager that we created in Step 1, then click Workspace and click Create Workspace, name it as demo-workspace and appoint ws-admin as Workspace Manager, who has the highest administrative authority of the workspace.
2.2. Logout and sign in with ws-admin after demo-workspace has been created. Then click View Workspace, select Worksapce Management → Members Management and click Invite Member.
2.3. Invite both project-admin and project-regular and grant them workspace-regular accordingly, click OK to save it. Now there are 3 members in the demo-workspace.
| User Name | Role in the Workspace | Responsibility |
|---|---|---|
| ws-admin | workspace-admin | Manage all resources under the workspace (We use this account to invite new members into the workspace) |
| project-admin | workspace-regular | Create and manage projects, DevOps projects, and invite new members to join |
| project-regular | workspace-viewer | Will be invited by project-admin to join the project and DevOps project. we use this account to create workloads, pipelines, etc |
Project Admin and DevOps Admin
Step 3: Create a Project
3.1. Sign in with project-admin that we created in Step 1, then click Create and select Create a resource project.
3.2. Name it as demo-project and keep the advanced settings as the default values, then click Create.
3.3. Choosing Project Settings → Project Members and click Invite Member.
3.4. Invite project-regular to this project and grant this user operator accordingly.
Step 4: Set the Gateway
Before creating a route, you need to enable a gateway for this project.
4.1. We still use project-admin, Choose Project Settings → Internet Access and click Set Gateway.
4.2. Keep the access method as NodePort and click Save.
4.3. Now we are able to see the Gateway Address (192.168.0.88), the NodePort of http and https respectively.
Step 5: Create DevOps Project
5.1. In this step, click Projects and click Create Project button, then select Create a DevOps project.
5.2. Fill in the basic information, e.g. demo-devops, then click Create button, it will jump to demo-devops page.
5.3. Similarly, navigate to Project Management → Project Members, then click Invite Member and grant project-regular as the role of maintainer, which is used to create pipeline, credentials, etc.
Next Step
Tutorial 2 - Expose your App: Create a Service and Ingress.