Skip to content
This repository has been archived by the owner on Dec 15, 2021. It is now read-only.

Multi-tenancy : How to ? #829

Closed
deuch opened this issue Jun 22, 2018 · 2 comments
Closed

Multi-tenancy : How to ? #829

deuch opened this issue Jun 22, 2018 · 2 comments

Comments

@deuch
Copy link

deuch commented Jun 22, 2018
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST?: Feature Request

What happened: How to handle multi tenancy on a single kubernetes cluster with kubeless ?

What you expected to happen: Multi-tenancy enabled with every project on the platform separated and isolated

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version): 1.8.11
  • Kubeless version (use kubeless version): 1.0.0-alpha-x
  • Cloud provider or physical cluster: Physical

Hello,

I would like to know the best approach to ensure multi-tenancy on a kubernetes cluster.

Only one installation of kubeless and deployment of functions in dedicated namespaces. But with this, i can only have one config-map, so one user for the registry etc ...

Can i have multiple installation of kubeless, one per project namespace for example ? It let us to have a config map for each project/env etc ...

Do you have any advice ?
@andresmgot
Copy link
Contributor

Hi @deuch,

Right now there is not an out of the box solution to have multi tenancy with Kubeless but the best approach to have that is to install Kubeless in different namespaces. It is also necessary to have RBAC enabled in your cluster. These are the steps required:

  • A cluster administrator should create the CRDs for functions and triggers. Those are not namespaced so you need to create them only once.
  • It is also necessary to create the kubeless-controller-deployer cluster role. You can use the default one but do not create the cluster role binding defined in the default manifest.
  • Instead of that, create a service account and a role binding per namespace for Kubeless. This will grant that each controller has access only to the functions within its namespace.
  • Deploy a Kubeless controller per namespace (each one with a ConfigMap for the configuration).

If you want to use PubSub functions you need to install the Kafka/NATS controller as well per namespace taking care of individual roles and service accounts.

Once the controller is installed, in order to use the kubeless CLI, it is necessary to set the environment variable KUBELESS_NAMESPACE for the tool to find the Kubeless configuration.

@andresmgot andresmgot mentioned this issue Aug 2, 2018
Merged
3 tasks
@andresmgot
Copy link
Contributor

hi @deuch, I opened #876 to support this feature. I will close this issue but if you have any question/request you can do it in #867.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deuch @andresmgot