...
The user invoking the install script MUST have permission to the MyProjectNamespace, otherwise the install will fail. When installing a namespace scoped agent, the kubernetes role bindings for the agent will be limited to namespace scoped permissions. This ensures that the agent runs with limited capability inside the kubernetes cluster.
The absence of the --namespace flag indicates a desire to install the agent with as it is done prior to this design. The agent will have cluster wide permissions, which and it will be installed into the openhorizon-agent namespace.
...
This field is optional and ignored for services deployed to a device.
For cluster scoped nodes, this field defines the namespace where the deployment occurs, effectively overriding an embedded namespace definition in the service.
For namespace scoped nodesIf a deployment policy constraint expression chooses a namespace scoped node as a deployment target, this field acts as a built-in constraint that causes namespace scoped nodes in namespaces other than the one specified by this field to be eliminated as deployment targets. Effectively, this field acts as a built-in constraint ANDed to the user specified constraint expression. The deploycheck CLI MUST detect this case.
In the absence of the "cluster_namespace" field, a namespace definition embedded in the operator definition acts as a built-in constraint that causes namespace scoped nodes in namespaces other than embedded namespace definition to be eliminated as deployment targets. Effectively, the embedded namespace definition acts as a built-in constraint ANDed to the user specified constraint expression. The deploycheck CLI MUST detect this case.
The Agbot calculates target nodes as follows:
Here are some examples that illustrate deployment outcomes resulting from the behavior described above. The examples show that the design is compatible with existing OH behavior and also enables control of the target namespace for the deployer.
- An edge cluster node with cluster privileges is chosen as a deployment target by the policy's constraint expression. The deployment policy has no If present, use the
"cluster_namespace"in addition to the deployment policy constraint expression to match potential target nodes. - If present, use the embedded namespace definition in addition to the deployment policy constraint expression to match potential target nodes. Otherwise, use the deployment policy constraint expression to match potential target
- defined and no embedded namespace definition. The edge service is deployed in the openhorizon-agent namespace.
- An edge cluster node with cluster privileges is chosen as a deployment target by the policy's constraint expression. The deployment policy has
"cluster_namespace":"ABC". The edge service is deployed in the ABC namespace. - An edge cluster node with cluster privileges is chosen as a deployment target. The deployment policy has no
"cluster_namespace"defined. The edge service has an embedded namespace definition for XYZ. The edge service is deployed in the XYZ namespace. - An edge cluster node with cluster privileges is chosen as a deployment target. The deployment policy has
"cluster_namespace":"ABC"defined. The edge service has an embedded namespace definition for XYZ. The edge service is deployed in the ABC namespace.
And finally, some additional examples for namespace scoped nodes.
Once the Agbot has calculated the target namespace it:
...