rancher
/
fleet-docs
mirror of https://github.com/rancher/fleet-docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
fleet-docs/namespaces.html

77 lines
42 KiB
HTML
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html>
<html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-namespaces" data-has-hydrated="false">
<head>
<meta charset="UTF-8">
<meta name="generator" content="Docusaurus v2.4.3">
<title data-rh="true">Namespaces | Fleet</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://fleet.rancher.io/namespaces"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Namespaces | Fleet"><meta data-rh="true" name="description" content="Workload Namespaces"><meta data-rh="true" property="og:description" content="Workload Namespaces"><link data-rh="true" rel="icon" href="/img/favicon.ico"><link data-rh="true" rel="canonical" href="https://fleet.rancher.io/namespaces"><link data-rh="true" rel="alternate" href="https://fleet.rancher.io/namespaces" hreflang="en"><link data-rh="true" rel="alternate" href="https://fleet.rancher.io/namespaces" hreflang="x-default"><link data-rh="true" rel="preconnect" href="https://5YEVIM7OXD-dsn.algolia.net" crossorigin="anonymous"><link rel="search" type="application/opensearchdescription+xml" title="Fleet" href="/opensearch.xml"><link rel="stylesheet" href="/assets/css/styles.ff6ab72e.css">
<link rel="preload" href="/assets/js/runtime~main.b74b6382.js" as="script">
<link rel="preload" href="/assets/js/main.88b5c325.js" as="script">
</head>
<body class="navigation-with-keyboard">
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/logo.svg" alt="logo" class="themedImage_ToTc themedImage--light_HNdA"><img src="/img/logo.svg" alt="logo" class="themedImage_ToTc themedImage--dark_i4oU"></div><b class="navbar__title text--truncate">Fleet</b></a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__link" aria-haspopup="true" aria-expanded="false" role="button" href="/">Next 🚧</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/namespaces">Next 🚧</a></li><li><a class="dropdown__link" href="/0.10/namespaces">0.10</a></li><li><a class="dropdown__link" href="/0.9/namespaces">0.9</a></li><li><a class="dropdown__link" href="/0.8/namespaces">0.8</a></li><li><a class="dropdown__link" href="/0.7/namespaces">0.7</a></li><li><a class="dropdown__link" href="/0.6/namespaces">0.6</a></li><li><a class="dropdown__link" href="/0.5/namespaces">0.5</a></li><li><a class="dropdown__link" href="/0.4/namespaces">0.4</a></li></ul></div><a aria-current="page" class="navbar__item navbar__link navbar__docs navbar__link--active" href="/">Docs</a><a href="https://github.com/rancher/fleet" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link navbar__github btn btn-secondary icon-github">GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a><a href="https://rancher-users.slack.com/channels/fleet" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link header-slack-link" aria-label="Slack Channel"></a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">More from SUSE</a><ul class="dropdown__menu"><li><a href="https://www.rancher.com" target="_blank" rel="noopener noreferrer" class="dropdown__link navbar__icon navbar__rancher">Rancher<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><hr style="margin: 0.3rem 0;"></li><li><a href="https://elemental.docs.rancher.com/" target="_blank" rel="noopener noreferrer" class="dropdown__link navbar__icon navbar__elemental">Elemental<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://harvesterhci.io" target="_blank" rel="noopener noreferrer" class="dropdown__link navbar__icon navbar__harvester">Harvester<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://rancherdesktop.io" target="_blank" rel="noopener noreferrer" class="dropdown__link navbar__icon navbar__rd">Rancher Desktop<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><hr style="margin: 0.3rem 0;"></li><li><a href="https://opensource.suse.com" target="_blank" rel="noopener noreferrer" class="dropdown__link navbar__icon navbar__suse">More Projects...<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><div class="searchBox_ZlJk"><button type="button" class="DocSearch DocSearch-Button" aria-label="Search"><span class="DocSearch-Button-Container"><svg width="20" height="20" class="DocSearch-Search-Icon" viewBox="0 0 20 20" aria-hidden="true"><path d="M14.386 14.386l4.0877 4.0877-4.0877-4.0877c-2.9418 2.9419-7.7115 2.9419-10.6533 0-2.9419-2.9418-2.9419-7.7115 0-10.6533 2.9418-2.9419 7.7115-2.9419 10.6533 0 2.9419 2.9418 2.9419 7.7115 0 10.6533z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"></path></svg><span class="DocSearch-Button-Placeholder">Search</span></span><span class="DocSearch-Button-Keys"></span></button></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><aside class="theme-doc-sidebar-container docSidebarContainer_b6E3"><div class="sidebarViewport_Xe31"><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/">Overview</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="true" href="/quickstart">Tutorials</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/quickstart">Quick Start</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/tut-deployment">Creating a Deployment</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/uninstall">Uninstall</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" href="/architecture">Explanations</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/architecture">Architecture</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/concepts">Core Concepts</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/ref-bundle-stages">Bundle Lifecycle</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/gitrepo-content">Git Repository Contents</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/namespaces">Namespaces</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/resources-during-deployment">Custom Resources During Deployment</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="true" href="/installation">How-tos for Operators</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/installation">Installation Details</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/cluster-registration">Register Downstream Clusters</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/cluster-group">Create Cluster Groups</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/multi-user">Setup Multi User</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="true" href="/gitrepo-add">How-tos for Users</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/gitrepo-add">Create a GitRepo Resource</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/gitrepo-targets">Mapping to Downstream Clusters</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/bundle-diffs">Generating Diffs to Ignore Modified GitRepos</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/webhook">Using Webhooks Instead of Polling</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/imagescan">Using Image Scan to Update Container Image References</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/bundle-add">Create a Bundle Resource</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="true" href="/cli/fleet-agent">Reference</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/cli/fleet-agent">CLI</a></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/ref-status-fields">Status Fields</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/ref-registration">Cluster Registration Internals</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/ref-configuration">Configuration</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/ref-resources">List of Deployed Resources</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/ref-crds">Custom Resources Spec</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/ref-fleet-yaml">fleet.yaml</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/ref-gitrepo">GitRepo Resource</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/ref-bundle">Bundle Resource</a></li></ul></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/troubleshooting">Troubleshooting</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/changelogs/changelogs/next">Changelog</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="true" href="/enableexperimental">Experimental Features</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/enableexperimental">How to enable experimental features</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oci-storage">OCI Storage</a></li></ul></li></ul></nav></div></div></aside><main class="docMainContainer_gTbr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_YNFT"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li class="breadcrumbs__item"><span class="breadcrumbs__link">Explanations</span><meta itemprop="position" content="1"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="name">Namespaces</span><meta itemprop="position" content="2"></li></ul></nav><span class="theme-doc-version-badge badge badge--secondary">Version: Next 🚧</span><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><h1>Namespaces</h1><h2 class="anchor anchorWithStickyNavbar_LWe7" id="workload-namespaces">Workload Namespaces<a href="#workload-namespaces" class="hash-link" aria-label="Direct link to Workload Namespaces" title="Direct link to Workload Namespaces"></a></h2><h3 class="anchor anchorWithStickyNavbar_LWe7" id="namespace-creation-behavior-in-bundles">Namespace Creation Behavior in Bundles<a href="#namespace-creation-behavior-in-bundles" class="hash-link" aria-label="Direct link to Namespace Creation Behavior in Bundles" title="Direct link to Namespace Creation Behavior in Bundles"></a></h3><p>When deploying a Fleet bundle, the specified namespace will automatically be
created if it does not already exist.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="configuring-workload-namespaces">Configuring Workload Namespaces<a href="#configuring-workload-namespaces" class="hash-link" aria-label="Direct link to Configuring Workload Namespaces" title="Direct link to Configuring Workload Namespaces"></a></h3><p>When configuring workload namespaces, it is important to be aware that certain
options are designed to override the values of other options or namespace
definitions in workload resources. In some cases, setting namespaces using some
options may result in errors if the resources to be deployed contain
non-namespaced resources. To get a better understanding of how these options
interact, refer to the diagram below. For more details on a specific option,
please refer to the <a href="/ref-gitrepo">GitRepo</a> or
<a href="/ref-fleet-yaml">fleet.yaml</a> reference.</p><p><img loading="lazy" alt="Configuring Workload Namespaces" src="/assets/images/FleetWorkloadNamespaces-f336f50d9059b8a8e8a5da8da93a7a4b.png" width="408" height="1046" class="img_ev3q"></p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="cross-namespace-deployments">Cross Namespace Deployments<a href="#cross-namespace-deployments" class="hash-link" aria-label="Direct link to Cross Namespace Deployments" title="Direct link to Cross Namespace Deployments"></a></h3><p>It is possible to create a GitRepo that will deploy across namespaces. The
primary purpose of this is so that a central privileged team can manage common
configuration for many clusters that are managed by different teams. The way
this is accomplished is by creating a <code>BundleNamespaceMapping</code> resource in a
cluster.</p><p>If you are creating a <code>BundleNamespaceMapping</code> resource it is best to do it in a
namespace that only contains <code>GitRepos</code> and no <code>Clusters</code>. It seems to get
confusing if you have Clusters in the same repo as the cross namespace
<code>GitRepos</code> will still always be evaluated against the current namespace. So if
you have clusters in the same namespace you may wish to make them canary
clusters.</p><p>A <code>BundleNamespaceMapping</code> has only two fields. Which are as below</p><div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token key atrule">kind</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> BundleNamespaceMapping</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">apiVersion</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> fleet.cattle.io/v1alpha1</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">metadata</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">name</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> not</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">important</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">namespace</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> typically</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">unique</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token comment" style="color:rgb(105, 112, 152);font-style:italic"># Bundles to match by label. The labels are defined in the fleet.yaml</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token comment" style="color:rgb(105, 112, 152);font-style:italic"># labels field or from the GitRepo metadata.labels field</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">bundleSelector</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">matchLabels</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">foo</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> bar</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token comment" style="color:rgb(105, 112, 152);font-style:italic"># Namespaces to match by label</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">namespaceSelector</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">matchLabels</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">foo</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> bar</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>If the <code>BundleNamespaceMappings</code> <code>bundleSelector</code> field matches a <code>Bundles</code>
labels then that <code>Bundle</code> target criteria will be evaluated against all clusters
in all namespaces that match <code>namespaceSelector</code>. One can specify labels for the
created bundles from git by putting labels in the <code>fleet.yaml</code> file or on the
<code>metadata.labels</code> field on the <code>GitRepo</code>.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="restricting-gitrepos">Restricting GitRepos<a href="#restricting-gitrepos" class="hash-link" aria-label="Direct link to Restricting GitRepos" title="Direct link to Restricting GitRepos"></a></h3><p>A namespace can contain multiple <code>GitRepoRestriction</code> resources. All <code>GitRepos</code>
created in that namespace will be checked against the list of restrictions. If a
<code>GitRepo</code> violates one of the constraints its <code>BundleDeployment</code> will be in an
error state and won&#x27;t be deployed.</p><p>This can also be used to set the defaults for GitRepo&#x27;s <code>serviceAccount</code> and
<code>clientSecretName</code> fields.</p><div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token key atrule">kind</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> GitRepoRestriction</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">apiVersion</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> fleet.cattle.io/v1alpha1</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">metadata</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">name</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> restriction</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">namespace</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> typically</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">unique</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">allowedClientSecretNames</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">allowedRepoPatterns</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">allowedServiceAccounts</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">allowedTargetNamespaces</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">defaultClientSecretName</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;&quot;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">defaultServiceAccount</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;&quot;</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h4 class="anchor anchorWithStickyNavbar_LWe7" id="allowed-target-namespaces">Allowed Target Namespaces<a href="#allowed-target-namespaces" class="hash-link" aria-label="Direct link to Allowed Target Namespaces" title="Direct link to Allowed Target Namespaces"></a></h4><p>This can be used to limit a deployment to a set of namespaces on a downstream
cluster. If an allowedTargetNamespaces restriction is present, all <code>GitRepos</code>
must specify a <code>targetNamespace</code> and the specified namespace must be in the
allow list. This also prevents the creation of cluster wide resources.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="fleet-namespaces">Fleet Namespaces<a href="#fleet-namespaces" class="hash-link" aria-label="Direct link to Fleet Namespaces" title="Direct link to Fleet Namespaces"></a></h2><p>All types in the Fleet manager are namespaced. The namespaces of a custom
resource, e.g. GitRepo, does not influence the namespace of deployed resources.</p><p>Understanding how namespaces are used in the Fleet manager
is important to understand the security model and how one can use Fleet in a
multi-tenant fashion.</p><p><img loading="lazy" alt="Namespace" src="/assets/images/FleetNamespaces-4e461907ba4d5bbf6b309d125383bdb5.svg" width="1437" height="1731" class="img_ev3q"></p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="gitrepos-bundles-clusters-clustergroups">GitRepos, Bundles, Clusters, ClusterGroups<a href="#gitrepos-bundles-clusters-clustergroups" class="hash-link" aria-label="Direct link to GitRepos, Bundles, Clusters, ClusterGroups" title="Direct link to GitRepos, Bundles, Clusters, ClusterGroups"></a></h3><p>All selectors for <code>GitRepo</code> targets will be evaluated against the <code>Clusters</code>
and <code>ClusterGroups</code> in the same namespaces. This means that if you give
<code>create</code> or <code>update</code> privileges to a <code>GitRepo</code> type in a namespace, that end
user can modify the selector to match any cluster in that namespace. This means
in practice if you want to have two teams self manage their own <code>GitRepo</code>
registrations but they should not be able to target each others clusters, they
should be in different namespaces.</p><p>The cluster registration namespace, called &#x27;workspace&#x27; in Rancher, contains the <code>Cluster</code> and the
<code>ClusterRegistration</code> resources, as well as any <code>GitRepos</code> and <code>Bundles</code>.</p><p>Rancher will create two Fleet workspaces: <strong>fleet-default</strong> and
<strong>fleet-local</strong>.</p><ul><li><code>fleet-default</code> will contain all the downstream clusters that are already
registered through Rancher.</li><li><code>fleet-local</code> will contain the local cluster by default. Access to
<code>fleet-local</code> is limited.</li></ul><div class="theme-admonition theme-admonition-warning alert alert--danger admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 12 16"><path fill-rule="evenodd" d="M5.05.31c.81 2.17.41 3.38-.52 4.31C3.55 5.67 1.98 6.45.9 7.98c-1.45 2.05-1.7 6.53 3.53 7.7-2.2-1.16-2.67-4.52-.3-6.61-.61 2.03.53 3.33 1.94 2.86 1.39-.47 2.3.53 2.27 1.67-.02.78-.31 1.44-1.13 1.81 3.42-.59 4.78-3.42 4.78-5.56 0-2.84-2.53-3.22-1.25-5.61-1.52.13-2.03 1.13-1.89 2.75.09 1.08-1.02 1.8-1.86 1.33-.67-.41-.66-1.19-.06-1.78C8.18 5.31 8.68 2.45 5.05.32L5.03.3l.02.01z"></path></svg></span>important information</div><div class="admonitionContent_S0QG"><p>Deleting the workspace, cluster registration namespace, will delete all the clusters within that namespace.
This will uninstall all deployed bundles, except for the fleet agent, from the deleted clusters.</p></div></div><p>If you are using Fleet in a <a href="/concepts">single cluster</a> style, the namespace
will always be <strong>fleet-local</strong>. Check
<a href="https://fleet.rancher.io/namespaces/#fleet-local" target="_blank" rel="noopener noreferrer">here</a> for more on the
<code>fleet-local</code> namespace.</p><p>For a <a href="/concepts">multi-cluster</a> style, please ensure you use the correct
repo that will map to the right target clusters.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="internal-namespaces">Internal Namespaces<a href="#internal-namespaces" class="hash-link" aria-label="Direct link to Internal Namespaces" title="Direct link to Internal Namespaces"></a></h3><h4 class="anchor anchorWithStickyNavbar_LWe7" id="cluster-registration-namespace-fleet-local">Cluster Registration Namespace: fleet-local<a href="#cluster-registration-namespace-fleet-local" class="hash-link" aria-label="Direct link to Cluster Registration Namespace: fleet-local" title="Direct link to Cluster Registration Namespace: fleet-local"></a></h4><p>The <strong>fleet-local</strong> namespace is a special namespace used for the single cluster
use case or to bootstrap the configuration of the Fleet manager.
Access to the local cluster should be limited to operators.</p><p>When fleet is installed the <code>fleet-local</code> namespace is created along with one
<code>Cluster</code> called <code>local</code> and one <code>ClusterGroup</code> called <code>default</code>. If no targets
are specified on a <code>GitRepo</code>, it is by default targeted to the <code>ClusterGroup</code>
named <code>default</code>. This means that all <code>GitRepos</code> created in <code>fleet-local</code> will
automatically target the <code>local</code> <code>Cluster</code>. The <code>local</code> <code>Cluster</code> refers to the
cluster the Fleet manager is running on.</p><h4 class="anchor anchorWithStickyNavbar_LWe7" id="system-namespace-cattle-fleet-system">System Namespace: cattle-fleet-system<a href="#system-namespace-cattle-fleet-system" class="hash-link" aria-label="Direct link to System Namespace: cattle-fleet-system" title="Direct link to System Namespace: cattle-fleet-system"></a></h4><p>The Fleet controller and Fleet agent run in this namespace. All service accounts
referenced by <code>GitRepos</code> are expected to live in this namespace in the
downstream cluster.</p><h4 class="anchor anchorWithStickyNavbar_LWe7" id="system-registration-namespace-cattle-fleet-clusters-system">System Registration Namespace: cattle-fleet-clusters-system<a href="#system-registration-namespace-cattle-fleet-clusters-system" class="hash-link" aria-label="Direct link to System Registration Namespace: cattle-fleet-clusters-system" title="Direct link to System Registration Namespace: cattle-fleet-clusters-system"></a></h4><p>This namespace holds secrets for the cluster registration process. It should
contain no other resources in it, especially secrets.</p><h4 class="anchor anchorWithStickyNavbar_LWe7" id="cluster-namespaces">Cluster Namespaces<a href="#cluster-namespaces" class="hash-link" aria-label="Direct link to Cluster Namespaces" title="Direct link to Cluster Namespaces"></a></h4><p>For every cluster that is registered a namespace is created by the Fleet manager
for that cluster. These namespaces are named in the form
<code>cluster-${namespace}-${cluster}-${random}</code>. The purpose of this namespace is
that all <code>BundleDeployments</code> for that cluster are put into this namespace and
then the downstream cluster is given access to watch and update
<code>BundleDeployments</code> in that namespace only.</p></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="https://github.com/rancher/fleet-docs/edit/main/docs/namespaces.md" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_Z9Sw" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_vwxv"><span class="theme-last-updated">Last updated<!-- --> on <b><time datetime="2024-10-18T11:42:02.000Z">Oct 18, 2024</time></b></span></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/gitrepo-content"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Git Repository Contents</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/resources-during-deployment"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Custom Resources During Deployment</div></a></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#workload-namespaces" class="table-of-contents__link toc-highlight">Workload Namespaces</a><ul><li><a href="#namespace-creation-behavior-in-bundles" class="table-of-contents__link toc-highlight">Namespace Creation Behavior in Bundles</a></li><li><a href="#configuring-workload-namespaces" class="table-of-contents__link toc-highlight">Configuring Workload Namespaces</a></li><li><a href="#cross-namespace-deployments" class="table-of-contents__link toc-highlight">Cross Namespace Deployments</a></li><li><a href="#restricting-gitrepos" class="table-of-contents__link toc-highlight">Restricting GitRepos</a><ul><li><a href="#allowed-target-namespaces" class="table-of-contents__link toc-highlight">Allowed Target Namespaces</a></li></ul></li></ul></li><li><a href="#fleet-namespaces" class="table-of-contents__link toc-highlight">Fleet Namespaces</a><ul><li><a href="#gitrepos-bundles-clusters-clustergroups" class="table-of-contents__link toc-highlight">GitRepos, Bundles, Clusters, ClusterGroups</a></li><li><a href="#internal-namespaces" class="table-of-contents__link toc-highlight">Internal Namespaces</a><ul><li><a href="#cluster-registration-namespace-fleet-local" class="table-of-contents__link toc-highlight">Cluster Registration Namespace: fleet-local</a></li><li><a href="#system-namespace-cattle-fleet-system" class="table-of-contents__link toc-highlight">System Namespace: cattle-fleet-system</a></li><li><a href="#system-registration-namespace-cattle-fleet-clusters-system" class="table-of-contents__link toc-highlight">System Registration Namespace: cattle-fleet-clusters-system</a></li><li><a href="#cluster-namespaces" class="table-of-contents__link toc-highlight">Cluster Namespaces</a></li></ul></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="footer__copyright">Copyright © 2024 SUSE Rancher. All Rights Reserved.</div></div></div></footer></div>
<script src="/assets/js/runtime~main.b74b6382.js"></script>
<script src="/assets/js/main.88b5c325.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink