Create Workspaces, Projects, Users and Roles
This quickstart demonstrates how to create workspaces, roles and users which are required for other tutorials. Meanwhile, you will learn how to create projects and DevOps projects within your workspace where your workloads are running. After reading this tutorial, you will become familiar with the multi-tenant management system of KubeSphere.
Prerequisites
KubeSphere needs to be installed in your machine.
Architecture
The multi-tenant system of KubeSphere features three levels of hierarchical structure which are cluster, workspace, and project. A project in KubeSphere is a Kubernetes namespace.
You are required to create a new workspace to work with instead of using the system workspace where system resources are running and most of them are viewable only. In addition, it is strongly recommended different tenants work with corresponding roles in a workspace for security considerations.
You can create multiple workspaces within a KubeSphere cluster. Under each workspace, you can also create multiple projects. Each level has multiple built-in roles. Besides, KubeSphere allows you to create roles with customized authorization as well. The KubeSphere hierarchy is applicable for enterprise users with different teams or groups, and different roles within each team.
Hands-on Lab
Step 1: Create a user
After KubeSphere is installed, you need to add different users with varied roles to the platform so that they can work at different levels on various resources. Initially, you only have one default user, which is admin
, granted the role platform-admin
. In the first step, you create a sample user user-manager
and further create more users as user-manager
.
-
Log in to the web console as
admin
with the default user and password (admin/P@88w0rd
).Tip
For account security, it is highly recommended that you change your password the first time you log in to the console. To change your password, select User Settings in the drop-down list in the upper-right corner. In Password Settings, set a new password. You also can change the console language in User Settings. -
Click Platform in the upper-left corner, and then select Access Control. In the left nevigation pane, select Platform Roles. There are four built-in roles, as shown in the following table.
Built-in Roles Description workspaces-manager
Workspace manager who can manage all workspaces on the platform. users-manager
User manager who can manage all users on the platform. platform-regular
Regular user who has no access to any resources before joining a workspace or cluster. platform-admin
Administrator who can manage all resources on the platform. Note
Built-in roles are created automatically by KubeSphere and cannot be edited or deleted. -
In Users, click Create. In the displayed dialog box, provide all the necessary information (marked with *) and select
users-manager
for Platform Role.Click OK after you finish. The new user will display on the Users page.
-
Log out of the console and log back in with user
user-manager
to create four users that will be used in other tutorials.Tip
- To log out, click your username in the upper-right corner and select Log Out.
- The following usernames are for example only. You can change them as needed.
User Assigned Platform Role User Permissions ws-manager
workspaces-manager
Create and manage all workspaces. ws-admin
platform-regular
Manage all resources in a workspace after being invited to the workspace (This user is used to invite new members to a workspace in this example). project-admin
platform-regular
Create and manage projects and DevOps projects, and invite new members to the projects. project-regular
platform-regular
project-regular
will be invited to a project or DevOps project byproject-admin
. This user will be used to create workloads, pipelines and other resources in a specified project. -
On Users page, verify the four users created.
Step 2: Create a workspace
In this step, you create a workspace using user ws-manager
created in the previous step. As the basic logic unit for the management of projects, DevOps projects and organization members, workspaces underpin the multi-tenant system of KubeSphere.
-
Log in to KubeSphere as
ws-manager
. Click Platform in the upper-left corner and select Access Control. In Workspaces, you can see there is only one default workspacesystem-workspace
, where system-related components and services run. Deleting this workspace is not allowed. -
Click Create on the right, set a name for the new workspace (for example,
demo-workspace
) and set userws-admin
as the workspace manager. Click Create after you finish.Note
If you have enabled the multi-cluster feature, you need to assign an available cluster (or multiple clusters) to the workspace so that projects can be created on the cluster(s) later. -
Log out of the console and log back in as
ws-admin
. In Workspace Settings, select Workspace Members and click Invite. -
Invite both
project-admin
andproject-regular
to the workspace. Assign them the roleworkspace-self-provisioner
andworkspace-viewer
respectively and click OK.Note
The actual role name follows a naming convention:<workspace name>-<role name>
. For example, in this workspace nameddemo-workspace
, the actual role name of the roleviewer
isdemo-workspace-viewer
. -
After you add both
project-admin
andproject-regular
to the workspace, click OK. In Workspace Members, you can see three members listed.User Assigned Workspace Role Role Permissions ws-admin
demo-workspace-admin
Manage all resources under the workspace (use this user to invite new members to the workspace). project-admin
demo-workspace-self-provisioner
Create and manage projects and DevOps projects, and invite new members to join the projects. project-regular
demo-workspace-viewer
project-regular
will be invited byproject-admin
to join a project or DevOps project. The user can be used to create workloads, pipelines, etc.
Step 3: Create a project
In this step, you create a project using user project-admin
created in the previous step. A project in KubeSphere is the same as a namespace in Kubernetes, which provides virtual isolation for resources. For more information, see Namespaces.
-
Log in to KubeSphere as
project-admin
. In Projects, click Create. -
Enter the project name (for example,
demo-project
) and click OK. You can also add an alias and description for the project. -
In Projects, click the project created just now to view its detailed information.
-
On the Overview page of the project, the project quota remains unset by default. You can click Edit Quotas and specify resource requests and limits as needed (for example, 1 core for CPU and 1000Gi for memory).
-
Invite
project-regular
to this project and grant this user roleoperator
.Info
The user granted roleoperator
is a project maintainer who can manage resources other than users and roles in the project. -
Before creating a Route which is Ingress in Kubernetes, you need to enable a gateway for this project. The gateway is an NGINX Ingress controller running in the project. To set a gateway, go to Gateway Settings in Project Settings and click Enable Gateway. User
project-admin
is still used in this step. -
Select the access method NodePort and click OK.
-
Under Project Gateway, you can obtain the Gateway Address and the NodePort of http and https in the list.
Note
If you want to expose services using the typeLoadBalancer
, you need to use the LoadBalancer plugin of cloud providers. If your Kubernetes cluster is running in a bare metal environment, it is recommended that you use OpenELB as the LoadBalancer plugin.
Step 4: Create a role
After you finish the above steps, you know that users can be granted different roles at different levels. The roles used in previous steps are all built-in ones created by KubeSphere. In this step, you will learn how to define a customized role to meet the needs in your work.
-
Log in to the KubeSphere web console as
admin
again and go to Access Control. -
Click Platform Roles on the left navigation pane, and then click Create on the right.
Note
The preset roles on the Platform Roles page cannot be edited and deleted. -
In the Create Platform Role dialog box, set the name (for example,
clusters-admin
), alias, and description of the role, and click Edit Permissions.Note
This example demonstrates how to create a role responsible for cluster management. -
In the Edit Permissions dialog box, set the role permissions (for example, select Cluster Management) and click OK.
Note
- In this example, the role
clusters-admin
contains the permissions Cluster Management and Cluster Viewing. - Some permissions are interdependent. The dependency is specified by the Depends on field under each permission.
- When a permission is selected, the permission it depends on is automatically selected.
- To deselect a permission, you need to deselect its subordinate permissions first.
- In this example, the role
-
On the Platform Roles page, you can click the name of the created role to view the role details and click to edit the role, edit the role permissions, or delete the role.
-
On the Users page, you can assign the role to a user when you create a user or edit an existing user.
Step 5: Create a DevOps project (Optional)
Note
-
Log in to the console as
project-admin
. In DevOps Projects, click Create. -
Enter the DevOps project name (for example,
demo-devops
) and click OK. You can also add an alias and description for the project. -
In DevOps Projects, click the project created just now to view its detailed information.
-
Go to Project Management and select Project Members. Click Invite to invite user
project-regular
and grant the roleoperator
, who is allowed to create pipelines and credentials.
You are now familiar with the multi-tenant management system of KubeSphere. In other tutorials, user project-regular
will also be used to demonstrate how to create applications and resources in a project or DevOps project.
Feedback
Was this page Helpful?
Receive the latest news, articles and updates from KubeSphere
Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.