Turn any Kubernetes cluster into a powerful developer platform using DevSpace Cloud.
In September 2018, we released our open-source project DevSpace as a client-only command-line tool for improving the development experience for Kubernetes. We got a lot of positive and very encouraging feedback from the cloud-native community since then. One of the things users told us at meetups and via Slack etc. was that onboarding new developers on Kubernetes, effectively organizing developer access to Kubernetes and managing developer teams with Kubernetes are still huge pain points. So, we decided to build DevSpace Cloud to address these issues.
Today, I am happy to announce that DevSpace Cloud is available as a beta version. This article explains the issues that DevSpace Cloud solves and how to get started with it.
Providing access to Kubernetes for your developer teams is hard.
DevSpace Cloud makes it easier by allowing you to turn any Kubernetes cluster into a powerful developer platform with just a single command:
$ devspace connect cluster ? Please enter a cluster name (e.g. my-cluster) my-cluster ? Which Kubernetes cluster do you want to connect? Select the kube context. kubectl-context-1 kubectl-context-2 > current-kubect-context kubectl-context-3 ...
DevSpace Cloud adds a lightweight control plane to your cluster and allows you to manage users and permissions with a central management UI.
Developers can create isolated Kubernetes namespaces (= Spaces) on demand using
devspace create space [space-name] and DevSpace Cloud makes sure that users stay within their limits and cannot break out of their Spaces.
When creating a Space, the open-source command-line tool DevSpace automatically adds a kubectl context for the Space, so that developers can easily use kubectl, helm and other tools to directly interact with Kubernetes.
Providing Cluster Access for Developers is Hard
When looking at the benefits of DevOps, it is not hard to understand why organizations want software development and IT operations tightly integrated: Instead of having developers build something and throw it over the wall to the system administrators, they want developers to have the ability to deploy to the target infrastructure, test if their applications run as expected and debug issues with their deployments.
However, when using Kubernetes as target platform for running and scaling container-based applications, it is not easy to provide secure and controlled Kubernetes access for developers. Generally, there are two popular approaches for providing dev access to Kubernetes and both of them have their shortcomings:
Creating Separate Clusters for Developers = High Maintenance
- Not feasible in most private cloud scenarios
- High maintenance for keeping clusters healthy and up-to-date
- No central control over what developers are doing
- Developers should focus on code instead of being distracted by becoming de-facto admins for their dev cluster
Sharing One Development Cluster = Anarchy
- Managing multi-tenancy and isolating users is hard and requires to setup RBAC, service accounts, network policies, pod security policies etc.
- Securely enforcing user limits and permissions requires to setup resource quotas and to configure limit ranges
- Creating and configuring namespaces for developers creates manual effort for admins and can slow down the whole developer team
- Setting up developers' machines requires manual effort
Additionally, both approaches have the issue that it is pretty hard to hand over the cluster access to developers (e.g. setting up the kubectl context on every developer's machine) and then to onboard them to work with Kubernetes.
How can DevSpace Cloud help?
DevSpace Cloud allows you to turn any Kubernetes cluster into a powerful developer platform. It works with any private or public cloud.
DevSpace Cloud works like this:
- Connect a cluster with a single command (see Getting Started below)
- Add users to the cluster by sending them an invite link
- Manage limits and permissions with an intuitive management UI
- Let developers create isolated namespaces on demand
DevSpace Cloud allows cluster admins to provide secure, controlled access to Kubernetes for developers. It lets developers create namespaces on demand and automatically configures and manages the kubectl context for developers. System administrators can configure everything from limits for computing resources to node selectors and tolerations. DevSpace Cloud adds a lightweight control plane to the Kubernetes cluster which makes sure that developers stay within their limits.
- Central User & Permission Management
DevSpace Cloud provides a central management console for cluster admins. Admins can use it to manage cluster users, to set limits and permissions and to control what developers are doing within the cluster.
- Secure Namespace Creation & Isolation
With the open-source command-line tool DevSpace, developers can create Spaces (= isolated Kubernetes namespaces) whenever they need them. DevSpace Cloud automatically sets up RBAC, resource quotas, network policies, pod security policies etc. to isolate these namespaces and make sure that developers stay within the borders of their Spaces.
- Automatic Context Handling for kubectl
When developers create a Space with DevSpace, it will automatically configure a kubectl context for the newly created namespace and update this namespace over time, e.g. when certificates change etc.
- Automatic Subdomain Configuration
DevSpace Cloud will automatically generate and configure a subdomain (+ Letsencrypt SSL certificate) for every Space, so developers can access their application easily in the browser. Using DevSpace for development will additionally provide access via localhost through port-forwarding (learn more about development with DevSpace).
- Lightweight In-Cluster Control Plane
DevSpace Cloud runs as a Service and only adds a very lightweight control plane to every cluster you connect. It consists of an Admission Controller, an Ingress Controller (optional) and a Cert Manager (optional).
- Multi-Cluster Support
Manage multiple clusters for different development teams within your organization and share access to the clusters as needed.
- Single Command Setup
It takes less than 5 minutes to connect your Kubernetes cluster and turn it into a powerful developer platform (see Getting Started below).
What about Security?
DevSpace Cloud is built to be secure by design:
- Encryption Key for Cluster Access Token
DevSpace asks you to specify an encryption key. This key is securely stored as a hash on your computer and is never stored within DevSpace Cloud. When connecting a cluster, DevSpace generates a service account, encrypts the access token for this account with your encryption key hash and then sends the encrypted token to DevSpace Cloud. That means that DevSpace Cloud can only access your cluster, when you provide your encryption key and run an operation. After an operation is completed, DevSpace Cloud will not be able to access your cluster until you run another operation and provide your encryption key again.
- Direct Cluster Access without DevSpace Cloud
Any kubectl command or other communication with the Kubernetes API server does not touch DevSpace Cloud at all. Even the enforcement of user limits etc. happens directly inside your Kubernetes cluster within the in-cluster control plane.
Getting Started with DevSpace Cloud
1. Installing DevSpace
DevSpace is the open-source command-line tool for DevSpace Cloud. You can install it with one of the following options:
Option 1: Using NPM (recommended)
npm install -g devspace
Option 2: Using Mac Terminal
curl -s -L "https://github.com/devspace-cloud/devspace/releases/latest" | sed -nE 's!.*"([^"]*devspace-darwin-amd64)".*!https://github.com\1!p' | xargs -n 1 curl -L -o devspace && chmod +x devspace; sudo mv devspace /usr/local/bin;
Option 3: Using Linux Bash
curl -s -L "https://github.com/devspace-cloud/devspace/releases/latest" | sed -nE 's!.*"([^"]*devspace-linux-amd64)".*!https://github.com\1!p' | xargs -n 1 curl -L -o devspace && chmod +x devspace; sudo mv devspace /usr/local/bin;
Option 4: Using Windows Powershell
md -Force "$Env:APPDATA\devspace"; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12'; wget -UseBasicParsing ((Invoke-WebRequest -URI "https://github.com/devspace-cloud/devspace/releases/latest" -UseBasicParsing).Content -replace "(?ms).*`"([^`"]*devspace-windows-amd64.exe)`".*","https://github.com/`$1") -o $Env:APPDATA\devspace\devspace.exe; & "$Env:APPDATA\devspace\devspace.exe" "install"; $env:Path = (Get-ItemProperty -Path HKCU:\Environment -Name Path).Path
2. Connecting a Kubernetes Cluster to DevSpace Cloud
After installing DevSpace, you can run
devspace connect cluster to connect one of your Kubernetes clusters to DevSpace Cloud. DevSpace will ask you a couple of questions as shown in the output below:
$ devspace connect cluster ? Please enter a cluster name (e.g. my-cluster) my-cluster ? Which kube context do you want to use [Use arrows to move, type to filter] kubectl-context-1 kubectl-context-2 > current-kubect-context kubectl-context-3 # Choose a password-like key for encrypting the cluster access token ? Please enter a secure encryption key for your cluster credentials ******** ? Please re-enter the key ******** [done] √ Initialized cluster ? Should the ingress controller use a LoadBalancer or the host network? [Use arrows to move, type to filter] > LoadBalancer (GKE, AKS, EKS etc.) Use host network [done] √ Deployed ingress controller [done] √ Deployed admission controller [done] √ Deployed cert manager ? DevSpace will automatically create an ingress for each space, which base domain do you want to use for the created space? (e.g. users.test.com) dev.my-domain.tld [done] √ Please create an A dns record for '*.dev.my-domain.tld' that points to external-ip of loadbalancer service 'devspace-cloud/nginx-ingress-controller'. Run `kubectl get svc nginx-ingress-controller -n devspace-cloud` to view the service [done] √ Successfully connected cluster to DevSpace Cloud.
3. Manage Users & Permissions
The following screenshots show a couple of things you can do with the management UI of DevSpace Cloud:
4. Working with Spaces
The goal of DevSpace Cloud is to enable cluster admins to provide developers with access to Kubernetes while minimizing the effort and complexity for both parties. Spaces are a central part of DevSpace Cloud. Developers can create these isolated Kubernetes namespaces on demand with just a single command:
devspace create space [space-name]
The command-line tool DevSpace automatically creates a new kubectl context for every Space and makes it easy for developers to switch the current kubectl context to an existing space by running the following command:
devspace use space [space-name]
If a developer does not need a Space anymore, they can simply remove it and DevSpace will also remove the kubectl context respectively:
devspace remove space [space-name]
Besides working with Spaces, DevSpace can also be used to define how an application should be deployed to Kubernetes. DevOps engineers can store this deployment procedure with a declarative
devspace.yaml within the project and developers can simply deploy the project using
devspace deploy or even establish a real-time connection to the deployment to program directly inside the Kubernetes cluster using
Learn more about:
- Deploying Helm charts, Kubernetes manifests etc. with DevSpace
- Developing cloud-native apps directly in Kubernetes using DevSpace
Why Using DevSpace Cloud?
Pure Kubernetes, Nothing Else
- DevSpace Cloud works with any Kubernetes cluster, no matter what else you want to run within the cluster, e.g. Istio, knative, custom operators etc.
- Users interact directly with the Kubernetes cluster; so even if DevSpace Cloud is down, developers can keep working without any issues
- Users interact with Spaces the same way they interact with regular namespaces, so all your favorite Kubernetes tools (kubectl, helm, skaffold etc.) work seamlessly with DevSpace Cloud
Full Control for Cluster Admins
- Simple user and permission management via DevSpace Cloud UI with extensive configuration options for user limits etc.
- Automates manual tasks such as the configuration of RBAC, pod security policies, network policies, resource quotas etc.
Flexible Self-Service for Developers
- On-demand Space Creation & Isolation (incl. subdomains + SSL)
- Automatic Handling of kubectl contexts
- Less management and support effort for admins
DevSpace Cloud allows cluster administrators to provide secure, controlled access for developers to Kubernetes. With the isolation of Kubernetes namespaces and the central control plane for managing users and permissions, DevSpace Cloud provides everything to reduce the manual effort for setting up multi-tenancy Kubernetes clusters during the development phase.
DevSpace Cloud allows you to connect one Kubernetes cluster for free. While in public beta, we generally allow to connect three clusters with up to ten collaborators each. If you wish to connect more clusters or add more collaborators, ping me on Slack or send me an email: firstname.lastname@example.org
I am also happy about any feedback you have regarding DevSpace or DevSpace Cloud. Reach out if you have any issues setting things up or if there is anything missing that you might need to effectively work with DevSpace in your team.
Want to run DevSpace Cloud on-premise?
We are currently working on an enterprise version of DevSpace Cloud which can run entirely on-premise. Send me an email if you wish to be on the early access list: email@example.com