Versions Compared

Old Version 39

changes.mady.by.user Kuralamudhan Ramakrishnan (Deactivated)

Saved on

compared with

New Version 40

changes.mady.by.user Kuralamudhan Ramakrishnan (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
outlinetrue

...

ICN RequirementTenant  Controller

Multi-cluster tenant controller

  1. Tenant created at Multi scheduler site (ONAP4K8S)
Cluster level  tenant controller

Identifying K8S clusters for this tenant based on cluster labels

  1. Send the Tenant details to the K8s cluster
Tenant is created with CR at cluster level [Implemented]

At K8s cluster level

  1. Creating namespace
  2. Creating K8S users (Tokens, Certificates and User/Pwds)
  3. Creating K8S roles
  4. Creating permissions to various roles.
  1. Tenant controller at K8s cluster level [Implemented]
    1. A tenant can have multiple namespaces 
      1. Tenant-a
        1. ns1
        2. ns2
      2. It creates Tenant-a-ns1 and Tenant-a-ns
  2. Cluster-admin: This persona entity has full read/write privileges for all resources in the cluster including resources owned by various Tenants of the cluster [Not implemented].
  3. Cluster-view: This persona This entity has read privileges for all resources in the cluster including reasources owned by various Tenants [Not implemented].
  4. Tenant-admin: This persona This entity has privileges to create a new tenant, read/write resources scoped to that Tenant and update or delete that Tenant. This persona does not have any privileges for accessing resources that are either cluster-scoped or scoped to namespaces that are not associated with the Tenant object for which this persona has Tenant-admin privileges.[Implemented]
  5. Tenant-user: This persona This entity has read/write privileges for all resources scoped within a specific Tenant (that is resources that are scoped within namespaces that are owned by a specific Tenant) [Not implemented].

Certificate Provisioning with Tenant

  • Suggestion to use Isito using citadel
Suggestion to bind the tenant with kubernetes context to see namespaces associated with it[Not implemented].
  • Quota at the application level.
  •  Tenant group support: Quota at the tenant group level (Multiple namespaces), ISTIO at the tenant group level.
  • Resource quota based on the tenant with multiple namespacenamespaces [Not implemented].

Multi-Cluster Tenant controller

<This section is incomplete and a work in progress ... needs rework and further updates ... >

Srini notes:

  1. Define CRUD API - add/delete/modify/read MC Tenant.
  2. Design note :
    • On how this would be done as Micro-service in the ONAP.
    • How does interact with K8S clusters.
    • How does it ensure that all the configuration is applied (rollbacks, unsuccessful edges).
    • Visibility of the configuration applied on per MCTenant basis.
    • When new K8S cluster is added with the label of interest, taking care of creating tenant-specific information in that edge etc..
    • Extensibility (future K8S clusters having some other features that require configuration for multi-tenancy).

Open Questions:

  1. Slice the tenant with the cluster "--context" 
  2. How to connect the istio Citadel certificates with Tenant? how to authenticate from the centralised location from onap4k8s to multi-cluster location?
  3. Tenant user bind to the certificates created from Citadel?
  4.  How the cluster labels are configured in ONAP? how the MC tenant controller can identify them?

JIRA Story details


Reference

Kubernetes Multi-Tenancy Draft Proposal
Tenant Concept in Kubernetes

...