I work in a multi-tenant node app, I know to create a new namespace in Kubernetes is possible to run a kubectl command as follow: kubectl create namespace <namespace name>
How can I create a new namespace from node Microservices when a new customer make a sign up for a new account?
Is there some kubectl API to make a request from an external app?
Is necessary for the user to log out from app, destroy the pods created in kubernetes?
Creating Resources in the NamespaceIf you run a `kubectl apply` on this file, it will create the Pod in the current active namespace. This will be the “default” namespace unless you change it. There are two ways to explicitly tell Kubernetes in which Namespace you want to create your resources.
Kubernetes comes with three namespaces out-of-the-box.
In Kubernetes, namespaces provides a mechanism for isolating groups of resources within a single cluster. Names of resources need to be unique within a namespace, but not across namespaces.
It could be as simple as calling from a shell in your app:
kubectl create namespace <your-namespace-name>
Essentially, kubectl talks to the kube-apiserver.
You can also directly call the kube-apiserver. This is an example to list the pods:
$ curl -k -H 'Authorization: Bearer <token>' \ https://$KUBERNETES_SERVICE_HOST:6443/api/<api-version>/namespaces/default/pods
More specifically to create a namespace:
$ curl -k -H -X POST -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <token>' \ https://$KUBERNETES_SERVICE_HOST:6443/api/v1/namespaces/ -d ' { "apiVersion": "v1", "kind": "Namespace", "metadata": { "name": "mynewnamespace" } }'
In case you are wondering about the <token>
, it's a Kubernetes Secret typically belonging to a ServiceAccount and bound to a ClusterRole
that allows you to create namespaces.
You can create a Service Account like this:
$ kubectl create serviceaccount namespace-creator
Then you'll see the token like this (a token is automatically generated):
$ kubectl describe sa namespace-creator Name: namespace-creator Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: namespace-creator-token-xxxxx Tokens: namespace-creator-token-xxxxx Events: <none>
Then you would get the secret:
$ kubectl describe secret namespace-creator-token-xxxxx Name: namespace-creator-token-xxxx Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name: namespace-creator kubernetes.io/service-account.uid: <redacted> Type: kubernetes.io/service-account-token Data ==== ca.crt: 1025 bytes namespace: 7 bytes token: <REDACTED> <== This is the token you need for Authorization: Bearer
Your ClusterRole
should look something like this:
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: namespace-creator rules: - apiGroups: ["*"] resources: ["namespaces"] verbs: ["create"]
Then you would bind it like this:
$ kubectl create clusterrolebinding namespace-creator-binding --clusterrole=namespace-creator --serviceaccount=namespace-creator
When it comes to writing code you can use any HTTP client library in any language to call the same endpoints.
There are also libraries like the client-go library that takes care of the plumbing of connecting to a kube-apiserver.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With