The Kubernetes Current Blog

Powering Developer Self-Service for Application teams using Workspaces

In a previous blog post, we described how platform teams can leverage Rafay’s Cluster Templates capability to enable a self-service model where application teams can provision clusters on demand. And now, platform teams can configure the necessary restrictions on resource values as part of Cluster Templates to achieve compliance and standardization. This results in a better self-service experience for developers and more control for platform teams.

Challenges with a namespace-based model for sharing clusters

Having dedicated clusters for development teams or single applications translates to increased costs and isn’t necessary in a lot of cases. Namespaces in Kubernetes provide the means to logically divide a cluster into logical partitions or virtual clusters and are typically used to share a cluster between different teams or applications. Each namespace can be configured with its own access control rules and resource quotas. Users assigned to a namespace will have a role level privilege that limits their access only to their namespaces.

This namespace-based model however poses a problem in scenarios where a development team needs an additional namespace, or an application requires an increase in resource allocation to the namespace. The namespace owner would typically need to create a service ticket and wait for operations to implement the necessary changes. This can be a frustrating experience for application teams and sometimes lead to them building Shadow IT environments that not only increases infrastructure costs but also can result in compliance and governance issues.

In this blog post, we will describe how Rafay powers developer self-service with Rafay’s new Workspace capability. This enhancement can:

  • Completely offload lifecycle management of Kubernetes namespaces to Workspace Administrators without having to provide them with excessive cluster-wide privileges
  • Provide a self-service experience for application teams (i.e., they should be able to handle namespace lifecycle management without requiring any form of involvement from Operations personnel)
  • Prevent noisy neighbour issues related to multi-tenancy on shared clusters by allowing the configuration and enforcement of resource quotas for a workspace
  • Reduce the ongoing operational costs eliminating the need for a dedicated cluster per application operating model

Implementing on-demand namespaces with Rafay Workspace

Consider a scenario where two application teams require a Kubernetes cluster for their applications. Their applications are fairly small; therefore the platform team would like them to share a cluster to save operational and management overhead costs. Accomplishing this is very straightforward and involves the following steps:

1. A unique project can be created within Rafay’s platform for each application team and the cluster can be shared between the two projects. A project is a logical isolation boundary that allows customers to compartmentalize infrastructure, user access and resources.

2. Since both applications are sharing the same cluster, you don’t want a situation where an application team can monopolize resources resulting in noisy neighbour issues across workspaces. Rafay allows specification of resource quotas for each project and per namespace as shown below. These quotas will then be enforced on the cluster ensuring that every workspace has to operate within the configured resource quota.


3. You’ll need to assign the role of Workspace Admin to a user on the application team to grant the necessary privileges for creating on-demand namespaces:


4. There are multiple options, including Rafay’s GitOps engine, CLI or the UI, to create on-demand namespaces for application developers. Workspace Administrators are able to create new namespaces without being granted cluster-wide privileges. As an example, they won’t be able to list all namespaces in the cluster.

kubectl create ns teama-qa
namespace/team-qa created
kubectl get ns
Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:rafay-system:opa-45demouser-64rafay-46co" cannot list resource "namespaces" in API group "" at the cluster scope

5. Workspace Admins have visibility into allocated resources for their project along with current resource utilization. This helps them plan and coordinate with operations in a timely manner in case there is a need for additional resources for their application teams.


Self-Service K8s infrastructure with guardrails

Rafay’s makes it easy for platform teams to enable developer self-service with on-demand namespaces and clusters while still being able to enforce the necessary guardrails. For development teams, this eliminates time-consuming ticket-driven requests and enables them to be more productive. With Rafay’s Kubernetes Operations Platform, it is extremely simple to enable this self-service model at scale, across many clusters and teams. To learn more about Rafay’s workspace feature, watch our demo here.

Want to try this yourself? Sign up for a free trial of the Kubernetes Operations Platform today.


Trusted by leading companies