Use Fleet Manager Managed Namespaces for multi-tenancy across multiple clusters (preview)

Applies to: ✔️ Fleet Manager with hub cluster

This article shows you how to use Fleet Manager Managed Namespaces to define resource quotas and network policies, and how to delegate user access for namespaces on multiple clusters.

Before you begin

• You need an Azure account with an active subscription. Create an account for free.

• You need a fleet with a hub cluster. If you don't have one, see create and join at least one Azure Kubernetes Service (AKS) cluster to the fleet.

• Read the Overview of multi-cluster managed namespaces to understand the concept of a managed namespace.

• You need Azure CLI version 2.58.0 or later installed to complete this article. To install or upgrade, see Install Azure CLI.

• You need the fleet Azure CLI extension. You can install it and update to the latest version using the az extension add and az extension update commands.

  # Install the extension
  az extension add --name fleet
  
  # Update the extension
  az extension update --name fleet
  

• Confirm the fleet extension version is at least 1.7.0 using the az extension show command.

  az extension show --name fleet
  

• Set the following environment variables for your subscription ID, resource group, Fleet, and Fleet Member:

  export SUBSCRIPTION_ID=<subscription-id>
  export GROUP=<resource-group-name>
  export FLEET=<fleet-name>
  export FLEET_ID=<fleet-id>
  

• Set the default Azure subscription using the az account set command.

  az account set --subscription ${SUBSCRIPTION_ID}
  

Create a new multi-cluster managed namespace

• Create a new multi-cluster managed namespace using the az fleet namespace create command.

      az fleet namespace create \
          --resource-group $GROUP \
          --fleet-name $FLEET \
          --name my-managed-namespace \ 
          --annotations annotation1=value1 annotation2=value2 \
          --labels team=myTeam label2=value2 \
          --cpu-requests 1m \
          --cpu-limits 4m \
          --memory-requests 1Mi \
          --memory-limits 4Mi \
          --ingress-policy allowAll \
          --egress-policy allowAll \
          --delete-policy keep \
          --adoption-policy never
  

Delegate access to a user

You can now assign access to a user for the managed namespace across member clusters using one of the built-in roles.

• Create a role assignment using the az role assignment create command. The following example assigns the Azure Kubernetes Fleet Manager RBAC Writer for Member Clusters role:

  az role assignment create --role "Azure Kubernetes Fleet Manager RBAC Writer for Member Clusters" --assignee <USER-ENTRA-ID> --scope $FLEET_ID/managedNamespaces/my-managed-namespace
  

Add member clusters to a managed namespace

You can control which member clusters to deploy the managed namespace to by specifying the desired list of member cluster names. Any unmanaged namespaces with the same name on member clusters not in the specified list remain untouched.

• Specify the full list of member clusters you want to deploy the managed namespace to using the az fleet namespace create command with the --member-cluster-names parameter. The namespace will be propagated to all clusters in the list.

  In this example, the namespace will be deployed to clusterA, clusterB, and clusterC.

  az fleet namespace create \
      --resource-group $GROUP \
      --fleet-name $FLEET \
      --name my-managed-namespace \
      --member-cluster-names clusterA clusterB clusterC
  

Remove member clusters from a managed namespace

You can remove member clusters from a managed namespace by specifying the list of member clusters you want the namespace to remain on, excluding any clusters you want to remove. This action removes the namespace from the clusters not included in the list.

• Specify the list of member clusters you want the managed namespace to remain on using the az fleet namespace create command with the --member-cluster-names parameter. The namespace will be removed from any clusters excluded from the list.

  In this example, the namespace will be removed from clusterC.

  az fleet namespace create \
      --resource-group $GROUP \
      --fleet-name $FLEET \
      --name my-managed-namespace \
      --member-cluster-names clusterA clusterB
  

View the multi-cluster managed namespace

• View the managed namespace using the az fleet namespace show command.

  az fleet namespace show \
     --resource-group $GROUP \
     --fleet-name $FLEET \
     --name my-managed-namespace \
     -o table
  

  Your output should resemble the following example output:

  AdoptionPolicy  DeletePolicy   ETag                                    Location   Name                  ProvisioningState   ResourceGroup
  --------------  ------------   -------------------------------------   --------   --------------------  -----------------   -------------
  Always          Delete         "aaaaaaaa-0b0b-1c1c-2d2d-333333333333   westus2    my-managed-namespace  Succeeded           test-rg
  

Delete a multi-cluster managed namespace

• Delete a multi-cluster managed namespace using the az fleet namespace delete command.

  az fleet namespace delete \
      --resource-group $GROUP \
      --fleet-name $FLEET \
      --name my-managed-namespace \
  

Next steps

• Read the Overview of multi-cluster managed namespaces to understand the concept of a managed namespace.
• Learn how to view managed namespaces you have access to.