Reconciliation
It is possible that certain namespaces were created prior to the cluster being imported into the controller. There are also scenarios where namespaces have to be created outside of the controller (out-of-band). For both cases, it is possible to sync back namespaces to the controller so that lifecycle for these namespaces can be managed in the same manner as the ones that were created from within the controller.
Namespace Sync (Console)¶
'Namespace sync' can be enabled through a setting in Blueprint configuration. It is disabled by default.
To enable Namespace Sync,
- Navigate to Blueprints
- Create a new blueprint or a new version of an existing blueprint
- Under Namespace Configuration, select Enable Namespace Sync
- Click Save Changes
Post blueprint sync completion, any pre-existing namespaces (that were created outside of the controller) or new namespaces created out of band are instantaneously synced back to the controller and automatically published with "Ready" status.
If the Namespace sync feature is disabled later, any new namespaces created out-of-band beyond that point are not synced back to the controller.
Important
Certain namespaces are not synced when this feature is enabled. Examples includes "default", "kube-system", "kube-public", "kube-node-lease", "rafay-system" and "rafay-infra".
Namespace Sync (RCTL CLI)¶
You can alternatively enable namespace sync by using the declarative blueprint spec YAML. For more information on automation via RCTL CLI, refer here
apiVersion: infra.k8smgmt.io/v3
kind: Blueprint
metadata:
name: demo-blueprint
project: defaultproject
spec:
base:
name: default
version: 1.18.0
defaultAddons:
csiSecretStoreConfig:
providers: {}
enableIngress: false
enableLogging: false
enableMonitoring: true
enableVM: false
drift:
action: Deny
enabled: true
sharing:
enabled: false
version: v1
namespaceConfig:
enableSync: true
Syncing a namespace to a specific project¶
If a cluster is shared between projects and the namespace that is created out-of-band needs to be synced to a specific project, you can do so by configuring the k8smgmt.io/project label with the project name within the namespace spec.
Scenarios with namespace sync feature enabled¶
| Scenario | Expected Behavior |
|---|---|
| Cluster is imported to the cluster with pre-existing namespaces | Namespaces are synced to the controller instantaneously |
| Namespace is created out-of-band | Namespace is synced to the controller instantaneously |
| Namespace is created out-of-band without the k8smgmt.io/project label and the cluster is shared between multiple projects | Namespace is synced to the project where the cluster was initially provisioned or imported into |
| Namespace is created out-of-band with the k8smgmt.io/project label (with project name as the value) and the cluster is part of the project | Namespace is synced to the project specified in the label and automatically published with "Ready" status |
| Namespace is created out-of-band with the k8smgmt.io/project label (with project name as the value) and the cluster is not part of the project | Namespace is synced to the project specified in the label with status as 'No Clusters' |
| Namespace is created out-of-band and does not have resource quotas configured | Namespace is synced to the controller and any resource quotas configured as part of Project Settings are enforced |
| Namespace is created out-of-band and has resource quotas configured | Namespace is synced to the controller and any resource quotas configured as part of Project Settings are enforced |
| Namespace pre-exists and has resource quotas configured | Namespace is synced to the controller and any resource quotas configured as part of Project Settings are enforced |
| Namespace pre-exists and resource utilization exceeds quotas configured as part of Project Settings | New resource creation is blocked if it exceeds the enforced quota |
| Changes are made to the Namespace out-of-band | Is prevented |
| Namespace is deleted out-of-band | Is prevented |
| Namespace is deleted from the controller | Namespace is deleted from both the controller and the clusters |
Project Label for Namespace¶
For scenarios where a cluster is "shared" across multiple projects and users create namespaces on the shared cluster out of band of the platform using Kubectl, it can become impossible to determine which project this namespace needs to be assigned to.
Creating a namespace via kubectl using the "zero trust kubectl kubeconfig" will automatically inject the cluster’s project information as a project-label allowing for automatic assignment to the appropriate project.
- Select the required cluster and click KUBECTL
- Run the command
create ns <namespace_name>and this creates a namespace - Check the cluster resources page to view the project-labels. An illustrative example is given below
