Introduction
This blueprint is designed to help platform teams provide their users with a self-service multi tenant operating environment on shared Kubernetes clusters.
Options for Multi Tenancy¶
Every Rafay customer (e.g. enterprise) get access to their own Org. With an Org, multiple options for multi tenancy are supported for users/teams. These options are powered and enforced using Rafay's market leading Kubernetes Management platform's capabilities.
- Namespace
- Virtual Cluster
The image below describes the various options for multi-tenancy supported by the platform. These options allows administrators to ensure that the most appropriate tenancy approach can be used for their requirements.
Namespace¶
A Kubernetes namespace allows the organization to partition an existing cluster into logical mini-clusters and assign them to users. Users allocated a Kubernetes namespace will not have privileged access to the cluster. For example, they will not have cluster-wide privileges required to deploy applications that are packaged as CRDs.
Note
Users that require support for cluster-wide privileges are recommended to use the "Virtual Cluster" option described below.
Virtual Clusters¶
Virtual clusters (aka vClusters) are essentially full Kubernetes clusters that operate inside a namespace. Virtual clusters have their own API server that provides better isolation for use cases where namespaces are not practical.
Tenant Autonomy¶
A data scientist that needs to install software packaged as Kubernetes CRDs into a namespace because of lack of privileges. With a virtual cluster, the platform team can provide the user with full autonomy.
Separation of Duties¶
Instead of a complex, shared responsibility and support model, platform teams can focus on supporting and maintaining the underlying "host cluster" and the "namespace" in which the virtual cluster will operate in. They can delegate the administrative responsibilities of the virtual cluster to the end user.
Controls¶
Administrators can automatically enforce the following controls for the various multi-tenancy options supported. Click on each control in the table below for detailed information.
| # | Controls | Supported |
|---|---|---|
| 1 | Resource Quotas | |
| 2 | RBAC | |
| 4 | Isolated Containers | |
| 5 | Network Policy | |
| 6 | Cluster Policy | |
| 7 | Secure Remote Access | |
| 8 | Audit Logging | |
| 9 | Cost Visibility & Allocation |