DevSpace Cloud lets you create an internal Kubernetes offering that enables developers to create isolated namespaces in shared development clusters.
DevSpace Cloud works with all major Kubernetes distributions. Once you connect a cluster, DevSpace Cloud will install a lightweight control plane into the cluster which provides everything you need to create isolated development sandboxes.
DevSpace Cloud lets you build a self-service Kubernetes platform that enables developer teams to create isolated Kubernetes namespaces called Spaces. While creating a Space, DevSpace Cloud takes care of setting up the required RBAC rules, network policies, resource quotas, security policies etc.
Run the connect cluster command and choose the kube-context of the cluster you want to connect.
In the admin UI of DevSpace Cloud, you can create invite links, manage users and set user permissions.
Cluster users can now create spaces whenever they need them, as long as they stay within their limits.
DevSpace Cloud ensures that everyone stays within their limits and no one breaks out of their spaces.
Instead of provisioning separate clusters for developers, DevSpace Cloud allows you to share Kubernetes clusters. After connecting a cluster to DevSpace Cloud, admins can add cluster users and configure their limits. Within these limits, cluster users can now create spaces on-demand whenever they need them.
With DevSpace Cloud, namespace provisioning becomes self-service for developers.
During the 'create space' command, the CLI configures a kube-context for every newly created namespace, so developers can use tools like kubectl and helm.
Every namespace created through DevSpace Cloud is by default completely isolated from the rest of the cluster.
While users interact directly with the Kubernetes clusters, DevSpace Cloud creates and manages the access tokens for cluster users that work within isolated Spaces.
When running a kubectl command in the kube-context of a Space, kubectl will retrieve an auth token from DevSpace which is by default configured as auth plugin for the context.
DevSpace Cloud supports oAuth, so users can sign in with their GitHub account (SASL is coming soon).
DevSpace Cloud sets up service accounts and Role-Based Access Control (RBAC) rules to ensure that cluster users cannot break out of their namespaces.
To ensure that users cannot break out of their Spaces, DevSpace Cloud creates a separate service account for each user of a Space.
By default, DevSpace Cloud sets up RBAC rules that make sure developers cannot run operations outside of their namespaces.
To make sure that developers can work within their namespaces without issues, DevSpace Cloud isolates the network traffic for each Space.
By default, containers in different Spaces cannot communicate with each other unless the cluster admins configures this explicitly.
DevSpace Cloud can automatically provision unique ingress hostnames for developers (if needed). Admins configure which other hostnames can be used by developers and DevSpace Cloud will ensure these rules using hostname validation.
DevSpace Cloud installs Open Policy Agent (OPA) into connected clusters to check every resource that a user creates using kubectl or other tools. This allows DevSpaceCloud to allow, reject or modify resources according to the admission policies defined by the cluster admins.
DevSpace Cloud provides a variety of best-practice admission policies for high security standards.
DevSpace Cloud allows admins to define their own admission checks using custom rules enforced by OPA.
Check the cluster status, install, configure or upgrade cluster services (e.g. ingress controller, cert manager, OPA Gatekeeper etc.) with just a click.
View users, their permissions, their Spaces as well as the utilization of these Spaces.
Create and send invite links to add new users.
Add or remove Spaces for cluster users. View all Spaces of cluster users (including log streaming for all pods). Pause Spaces to reduce cluster cost.
Configure user permissions and Space limits for individual cluster users or groups of them (using bulk operations).
We know that every team has their own compliance rules and security guidelines. DevSpace Cloud is built for customization and provides over 50 different configuration options for restricting cluster access and for limiting users and Spaces. And for additional customization, DevSpace Cloud lets you define admission control rules using Open Policy Agent and even allows you to modify the entire control logic of DevSpace Cloud, which is written in admission control policies as well.
Here are some of the rules which most users might want to use or customize:
Adds annotations to each ingress that is being created.
Restricts the user to a list or pattern of allowed hostnames.
Rejects privileged pods, hostNetwork access and more.
Sets default resource limits for pods without limits and makes sure users do not exceed their resource limits.
Because DevSpace Cloud is involved during the token exchange when a user runs any kubectl command, it knows when users have not been sending any requests for a while. DevSpace Cloud provides a sleep mode option, which pauses namespaces after a certain period of time.
DevSpace Cloud scales down the replica sets within a namespace if it detects that the user has not been working for a while (inactivity detection).
If a Space is paused, the entire configuration is still there, only the replica number is set to 0. If DevSpace Cloud receives the first request again, it resumes the Space by restoring the old number of replicas.
DevSpace Cloud allows you to configure how inactivity will be detected. This can even be configured differently on a per-user or on a per-Space basis.
We host DevSpace Cloud and the Kubernetes clusters for you.
We sponsor free Kubernetes namespaces in our managed clusters, so you can evaluate DevSpace Cloud.
We host DevSpace Cloud and you connect your own clusters to it.
Not sure about connecting your cluster?
Loft is v2 of DevSpace Cloud on-premise! See www.loft.sh for details.
loft offers the same features as loft but additionally lets you customize everything with Kubernetes CRDs and provides virtual clusters as well as enterprise authentication integrations with GitLab, GitHub, SAML 2.0, LDAP and more.
Do you have any questions about loft / DevSpace Cloud on-premise?
