You can use the vSphere Automation APIs to create namespaces on a Supervisor and configure them with resource limits and permissions for the DevOps users.

To create and configure a namespace, use the Instances service from the namespaces package. You can configure the access control to the objects in a namespace by using the Access service.

Create a vSphere Namespace

You can use the vSphere with Tanzu automation APIs to create namespaces on a Supervisor. You can set resource quotas, storage, as well as permissions for the DevOps users.

Prerequisites

  • Enable vSphere with Tanzu on a vSphere cluster.

  • Create users and groups for the DevOps engineers who will use the namespace. For more information about how to create users and groups through the Web Services APIs, see the vSphere Web Services SDK Programming Guide.

  • Create storage policies for persistent storage used by the vSphere Pods and the pods inside a Tanzu Kubernetes cluster.

  • Create VM Classes and content libraries for DevOps provisioned VMs. See Create a VM Class in vSphere with Tanzu and Creating and Managing Content Libraries for VM Provisioning in vSphere with Tanzu.

  • Required privileges on the Supervisor:
    • Namespaces.Modify cluster-wide configuration
    • Namespaces.Modify namespace configuration
    • Virtual Machine Classes.Manage Virtual Machine Classes

Procedure

  1. Retrieve the Supervisor ID by filtering the clusters available in the vCenter Server system.

    Call the list method of the Clusters service from the com.vmware.vcenter.namespace_management package and retrieve the ID of the cluster on which you want to create a namespace from the returned cluster summary objects.

  2. Retrieve the ID of the storage policy that you configured for placement of the persistent volumes from vSphere Pods and Tanzu Kubernetes clusters.
  3. Configure the access control to the objects in the namespace.

    Create an instance of the com.vmware.vcenter.namespaces.InstancesTypes.Access class and specify the following access information:

    Parameter Description
    setDomain(domain) Set the domain name of the vCenter Server system on which the namespace is created.
    setSubjectType(subjectType) Set the type of the user accounts that are associated with the specific role for the namespace. You must select between the USER and GROUP options.
    setSubject(subject) Set the name of the user or group that have permissions to access the namespace objects.
    setRole(role) Set the role that is associated with the predefined set of privileges that you want to grant the specific user or group. You can select between the EDIT, VIEW and OWNER roles.

    The owner role is introduced in vSphere 7.0 Update 2a. When a DevOps engineer creates a namespace in a self-service manner, the Namespace Self-Service grants the owner role to the namespace creator. See Self-Service Namespace Management.

  4. Create a CreateSpec instance that holds the namespaces specification.

    The namespace specification can contain the following information:

    Parameter Description
    setCluster(cluster) Set the ID of the Supervisor on which the namespace is created.
    setNamespace(namespace) Set a name of the namespace following the DNS label standard defined in RFC 1123. The name must be unique across all namespaces in the current vCenter Server system.
    setNetworks(java.util.List<java.lang.String> networks) Optional. You can set the workload networks used by the vSphere Namespace. Pass null as a value of this parameter, if the Supervisor is configured to use NSX as networking solution. The workload networking support for such namespaces is provisioned by NSX.

    If the Supervisor uses the vSphere networking stack, pass the workload network to be associated with the namespace. If you pass null as a value of this parameter, the vSphere Namespaces on the cluster are automatically associated with the cluster primary workload network. See Configuring the vSphere Networking Stack for vSphere with Tanzu.

    setDescription(description) Optional. You can set a description of the namespace.
    setAccessList(accessList) Optional. You can set the access control that is associated with the namespace in Step 3.
    setStorageSpecs(storageSpecs) Optional. You can set the amount of storage dedicated to each storage policy associated with the namespace and the maximum amount of storage that is used by the namespace. Use the StorageSpec specification to configure the storage quotas on the namespace.
    setResourceSpec(resourceSpec) Optional. You can set resource limitations to the namespace. You can limit the CPU, memory, the maximum number of pods that can exist on the namespace, and so on.
    setCreator(InstancesTypes.Principal creator) Optional. The Namespace Self-Service populates this parameter with information about the DevOps user who created the namespace with cubectl. The user name and domain of the namespace creator are stored with this parameter.
    setVmServiceSpec(InstancesTypes.VMServiceSpec vmServiceSpec) Optional. The VM Service specification for the Dev-Ops provisioned virtual machines.
  5. Create a namespace object on the Supervisor by using the namespace create specification.

What to do next

Share the namespace with DevOps engineers and provide them with the user or group configured for accessing the namespace.

Java Example of Creating a vSphere Namespace

This example creates a vSphere Namespace on a Supervisor.

The following code snippet is part of the CreateNameSpace.java sample. Some parts of the original code sample are omitted to save space. You can view the complete and up-to-date version of this sample in the vsphere-automation-sdk-java VMware repository at GitHub.

		(...)
    @Override
    protected void run() throws Exception {
    	
    	InstancesTypes.CreateSpec spec =new InstancesTypes.CreateSpec();
    	spec.setCluster(this.clusterId);
    	spec.setDescription("My first namespace, WOW");
    	spec.setNamespace(this.namespaceName);
    	InstancesTypes.StorageSpec storageSpec=new InstancesTypes.StorageSpec();
    	storageSpec.setLimit(Long.valueOf(this.storageLimit).longValue());
    	storageSpec.setPolicy(this.storagePolicyId);
    	List<InstancesTypes.StorageSpec> storageSpecs = new ArrayList<InstancesTypes.StorageSpec>();
    	storageSpecs.add(storageSpec);
    	spec.setStorageSpecs(storageSpecs);
    	InstancesTypes.Access accessList= new InstancesTypes.Access();
    	accessList.setDomain(this.domainName); 
    	if(this.roleName.equalsIgnoreCase("EDIT")) {
    	accessList.setRole(AccessTypes.Role.EDIT);
    	} else{
    		accessList.setRole(AccessTypes.Role.VIEW);
    	}
    	accessList.setSubject( this.subjectName); //Default is Administrator
    	if(this.subjectType.equalsIgnoreCase("USER")) {
    		accessList.setSubjectType( AccessTypes.SubjectType.USER);
    	} else{
    		accessList.setSubjectType( AccessTypes.SubjectType.GROUP);
    	}
    	
    	List<InstancesTypes.Access> accessLists = new ArrayList<InstancesTypes.Access>();
    	accessLists.add(accessList);
    	spec.setAccessList(accessLists);
    	this.namespaceService.create(spec);
    	System.out.println("Invocation is successful for creating supervisor namespace, check H5C or call GET API to get status");
    	
       
    }
		(...)

Updating the Namespace Configuration

You can change the whole namespace configuration or only some of the namespace settings.

To change the configuration of an existing namespace, you must have the Namespaces.Configure privilege on the Supervisor.

Note:

Before deleting a storage policy from vCenter Server or a vSphere Namespace, or changing the storage policy assignment, make sure that no persistent volume claim with the corresponding storage class runs in the namespace. Also, ensure that no Tanzu Kubernetes cluster is using the storage class.

To patch a namespace configuration, create an UpdateSpec specification and set new values only to the configuration settings that you want to change. The parameters of the update specification are the same as the ones you configured during the namespace creation. When you call the update operation, only the settings that you configured in the update specification are applied, the other settings are left as they are.

To reconfigure a namespace entirely, you must create an instance of the SetSpec class. You can change the description, access controls, storage settings, and resource limitations of the specific namespace.

Configuring the Access to a Namespace

You can use the vSphere with Tanzu APIs to grant access permissions to DevOps engineers on the vSphere Namespaces.

Use the Access service to retrieve information about the access control of the DevOps engineers on a specific namespace. You can also set up or remove an access control for a specific user or group on a specific namespace, and add another access control on the namespace. You set up each access control to allow a user or group to access a namespace in a specific vCenter Server system. You can grant access to a DevOps engineer to more than one namespace.

You must have the Namespaces.Configure. privilege to grant permissions to a user. You assign the view and edit access role on the namespace for the user or group.

Starting with vSphere 7.0 Update 2а, you can also assign the owner role to a DevOps engineer. These roles allow the user to deploy workloads, share the namespace with other DevOps engineers, and delete it when it is no longer needed.

Self-Service Namespace Management

You can use the vSphere with Tanzu automation APIs to create a vSphere Namespace with specific resource quotas, set permissions, and assign storage policies. DevOps engineers can then use the namespace as a template for self-provisioning namespaces on the cluster.

Starting with vSphere 7.0 Update 2a, the Namespace Self-Service feature is available in vSphere with Tanzu. The service enables Kubernetes users to create vSphere Namespaces from templates configured through the automation APIs or vSphere Client. To activate the Namespace Self-Service on a cluster, use one of the following options:
  • Create a self-service namespace template and then activate the Namespace Self-Service on the cluster.
  • Create or update a self-service namespace template simultaneously with activating the Namespace Self-Service on the cluster.

Currently, only one namespace self-service template is allowed per vSphere Namespace. After a DevOps engineer creates a namespace from the template, the namespace can also be deleted through kubectl. You can verify whether a namespace is created from a template by retrieving the value of the getSelfServiceNamespace() flag of the com.vmware.vcenter.namespaces.InstancesTypes.Info object that you receive when you call the get(String namespace) method of the Instances interface.

To create a template for a self-service namespace, call the create(String cluster, NamespaceTemplatesTypes.CreateSpec spec) method of the NamespaceTemplates interface. You use as parameters the cluster ID and the namespace template create specification.

You define the following configuration settings and resource limitations of the template:
Parameter Description
setTemplate(String template) The identifier of the namespace template must be a unique name across all clusters on the vCenter Server instance. The name must be compliant with DNS.
setResourceSpec(Structure resourceSpec) The resource quotas, such as CPU and memory, that are reserved for the namespace on the vCenter Server instance. The CPU limit is set in MHz and the minimum value is 10 MHz. The memory and the storage limits are set in MiB. For more options to configure resource limits for the namespace, see the ResourceQuotaOptionsV1 class in the API Reference documentation.
setStorageSpecs(List<InstancesTypes.StorageSpec> storageSpecs) The amount of storage in MiB utilized for each storage policy that you associate with the namespace. You must specify at least one policy.
setNetworks(List<java.lang.String> networks) Optional. The networks associated with the namespace. Currently, you can set only one network for the namespace. Pass null as argument if the Supervisor is configured with NSX-T Data Center support. If you pass null for a namespace template on a cluster configured with a vSphere networking stack, the namespace is automatically associated with the Supervisor management workload network.
setPermissions(List<NamespaceTemplatesTypes.Subject> permissions) Optional. The permissions that allow DevOps engineers to use the template to self-provision namespaces through kubectl. If set to null, only users with the Administrator role can use the template.

Once you have the template created, you can activate the Namespace Self-Service on the cluster by calling the activate(java.lang.String cluster) method of the NamespaceSelfService interface. If you want to restrict DevOps users to use the namespace template on a cluster, you can deactivate the Namespace Self-Service feature. Then users are able to delete only the namespaces already created from the template.

You can activate the Namespace Self-Service on the cluster after configuring the namespace template by using the NamespaceSelfService service. You call the activateWithTemplate(java.lang.String cluster, NamespaceSelfServiceTypes.ActivateTemplateSpec spec) method of the NamespaceSelfService interface. Depending on the availability of a template on the cluster, this method either creates a namespace template or activates the deactivated service and at the same time updates the existing template.