DevSpace Cloud works with all major Kubernetes distributions. Once you connect a cluster, DevSpace Cloud will install a lightweight control plane into the cluster which provides everything you need to create isolated development sandboxes.
DevSpace Cloud lets you build a self-service Kubernetes platform that enables developer teams to create isolated Kubernetes namespaces called Spaces. While creating a Space, DevSpace Cloud takes care of setting up the required RBAC rules, network policies, resource quotas, security policies etc.
Run the connect cluster command and choose the kube-context of the cluster you want to connect.
In the admin UI of DevSpace Cloud, you can create invite links, manage users and set user permissions.
Cluster users can now create spaces whenever they need them, as long as they stay within their limits.
DevSpace Cloud ensures that everyone stays within their limits and no one breaks out of their spaces.
Instead of provisioning separate clusters for developers, DevSpace Cloud allows you to share Kubernetes clusters. After connecting a cluster to DevSpace Cloud, admins can add cluster users and configure their limits. Within these limits, cluster users can now create spaces on-demand whenever they need them.
With DevSpace Cloud, namespace provisioning becomes self-service for developers.
During the 'create space' command, the CLI configures a kube-context for every newly created namespace, so developers can use tools like kubectl and helm.
Every namespace created through DevSpace Cloud is by default completely isolated from the rest of the cluster.
While users interact directly with the Kubernetes clusters, DevSpace Cloud creates and manages the access tokens for cluster users that work within isolated Spaces.
When running a kubectl command in the kube-context of a Space, kubectl will retrieve an auth token from DevSpace which is by default configured as auth plugin for the context.
DevSpace Cloud supports oAuth, so users can sign in with their GitHub account (SASL is coming soon).
DevSpace Cloud installs Open Policy Agent (OPA) into connected clusters to check every resource that a user creates using kubectl or other tools. This allows DevSpaceCloud to allow, reject or modify resources according to the admission policies defined by the cluster admins.
DevSpace Cloud provides a variety of best-practice admission policies for high security standards.
DevSpace Cloud allows admins to define their own admission checks using custom rules enforced by OPA.
Check the cluster status, install, configure or upgrade cluster services (e.g. ingress controller, cert manager, OPA Gatekeeper etc.) with just a click.
View users, their permissions, their Spaces as well as the utilization of these Spaces.
Create and send invite links to add new users.
Add or remove Spaces for cluster users. View all Spaces of cluster users (including log streaming for all pods). Pause Spaces to reduce cluster cost.
Configure user permissions and Space limits for individual cluster users or groups of them (using bulk operations).
We know that every team has their own compliance rules and security guidelines. DevSpace Cloud is built for customization and provides over 50 different configuration options for restricting cluster access and for limiting users and Spaces. And for additional customization, DevSpace Cloud lets you define admission control rules using Open Policy Agent and even allows you to modify the entire control logic of DevSpace Cloud, which is written in admission control policies as well.
Here are some of the rules which most users might want to use or customize:
Adds annotations to each ingress that is being created.
Restricts the user to a list or pattern of allowed hostnames.
Rejects privileged pods, hostNetwork access and more.
Sets default resource limits for pods without limits and makes sure users do not exceed their resource limits.
Because DevSpace Cloud is involved during the token exchange when a user runs any kubectl command, it knows when users have not been sending any requests for a while. DevSpace Cloud provides a sleep mode option, which pauses namespaces after a certain period of time.
DevSpace Cloud scales down the replica sets within a namespace if it detects that the user has not been working for a while (inactivity detection).
If a Space is paused, the entire configuration is still there, only the replica number is set to 0. If DevSpace Cloud receives the first request again, it resumes the Space by restoring the old number of replicas.
DevSpace Cloud allows you to configure how inactivity will be detected. This can even be configured differently on a per-user or on a per-Space basis.