Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive

Sanjeev Rampal
Sanjeev Rampal

This document provides an overview and agenda for a presentation on secure multitenancy in Kubernetes. It discusses what Kubernetes multitenancy is, available solutions, architectural models for multitenancy including namespace grouping and virtual Kubernetes clusters. It also covers community initiatives for multitenancy control plane including tenant controllers and hierarchical namespaces. The document outlines benchmarking categories and a proposed baseline reference implementation for multitenancy including control plane, data plane, and network isolation techniques.

1 of 30
Download to read offline
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Sanjeev Rampal Principal Engineer Cisco Systems Adrian Ludwin Google Cloud Secure Multitenancy In Kubernetes
• Overview and Architecture • What is Kubernetes Multitenancy ? • Architectural models for Multitenancy • Community initiatives: Multitenancy control plane • Tenant controller & namespace grouping • Hierarchical namespaces • Virtual clusters • Community initiatives: Data plane and benchmarking • Benchmarking • Data plane models • Demo • Q & A Agenda
Overview & Architecture
• What is it ? • Ability to share a Kubernetes cluster between multiple independent teams • Why is it useful ? • Improved resource efficiencies (esp when move to containers on BM) • Reduced cluster sprawl • Lower capex and opex for the cluster operator • Resource usage burstability -> Higher application performance • Essentially a bin-packing & statistical multiplexing problem • Potential challenges • Kubernetes not designed for Multitenancy at its core • Unlike say Openstack, there are no core K8s resources for ”Users”, “Tenants”, “Projects” • Wide spectrum of loosely defined scenarios and potential use case • Defining “Standardization” vs best practice vs implementation choice What is Kubernetes Multitenancy ?
The community feels this area needs work • The New Stack poll (newstack.io November 2019)
• Categories of Multitenancy (high level use cases) • “Soft” Multitenancy • Ex. Multiple teams within the same enterprise sharing a K8S cluster • “Hard” Multitenancy • Ex. Service provider hosting multiple independent tenants on a shared cluster • “Coke & Pepsi on the same K8s cluster” • Other • SaaS multitenancy What is Kubernetes Multitenancy ? …
• Available solutions 1. Community Kubernetes + DIY solution using namespaces, network policies etc 2. Vendor/ commercial distributions with features built on these • E.g. Openshift “Projects”, Rancher “Projects” 3. Emerging community initiatives tracked within K8s Multitenancy Working group & others What is Kubernetes Multitenancy ? …
Architectural Models VM VM VM Hypervisor k8s1 k8s2 k8s3 IaaS ex. vSphere k8s cluster mgmt T1 T2 T3 BM BM BM BM BM BMBMBM ns1 ns2 ns3 ns-a ns-b ns-x ns-y K8S T1 T2 T3 Super K8S BM BM BM BM k8s1 k8s2 k8s3 T1 T2 T3 BM BMBMBM K8S T1 T2 T3 A B C D
Architecture Options Multitenancy Architecture Model Resource efficiency Level of Tenant isolation Tenant/ application Config restrictions All “Cloud Native” architecture Architecture maturity & production readiness A: Multiple K8S clusters on top of a Virtualization IaaS Low- medium High No No (multiple separate platforms, orch.) Medium-High B: Namespace grouping with Tenant resources High Medium- High Some restrictions eg cluster scoped rescs. Yes Medium C: Virtual Kubernetes Clusters High High No (?) Yes Early D: Core Kubernetes change (Tenant as 1st class resource) High High No (?) Yes (in theory) Very low (design does not exist)
Mapping Tenants, Applications, Services Tenant-1 Application-1 Namespace-1 S1 S2 S3 Tenant-1 Application-1 N1 S1 S2 S3 N2 N3 Tenant-1 Application-1 N1 S1 S2 S3 N2 Virtual Cluster1 Application-2 S4 N3 N4 N5 N6 1 tenant <> 1 app <> 1 NS (M micro-services all in 1 NS) Need to resolve naming conflicts 1 tenant <> 1 app <> M NS (1 service per NS) Better service portability 1 tenant <> M apps <> mix of H-NSs & VCs
Tenant vs Application Security Responsibility Model Tenant-A resources Tenant-B resources Cluster control Plane resources (k8s, monitoring etc) Cluster and provider infrastructure resources Application Security tools e.g. Aqua
Community Initiatives: Multitenancy Control Plane
Operational Model: Personas and workflows Cluster-admin provisions K8S cluster with 1 (of N) recommended security profiles Cluster-admin provisions Tenant template and Namespace template objects Cluster-admin Tenant-admin Tenant-user Tenant-admin provisions a new tenant referring to these templates Tenant-admin provisions access controls for the new tenant including other admins & non-admin user RBAC Tenant-user provisions namespace scoped k8s resources within tenant Tenant-admin performs CRUD operations and tenant life cycle mgmt. on the tenant resource itself
Tenant Operator Model • Self-service or Admin- provisioned Tenants • Each Tenant-CR manages a collection of namespaces, virtual clusters and associated resources via corresponding CRs that eventually own those K8s resouces • Named admins + named resource RBAC
apiVersion: tenancy.x-k8s.io/v1alpha1 kind: Tenant metadata: labels: controller-tools.k8s.io: "1.0" name: tenant-t1 spec: tenantAdminNamespaceName: t1-adm requireNamespacePrefix: true tenantAdmins: - kind: ServiceAccount name: t1-user1 namespace: default apiVersion: tenancy.x-k8s.io/v1alpha1 kind: TenantNamespace metadata: labels: controller-tools.k8s.io: "1.0" name: tns-t1-n1 namespace: t1-adm spec: # Add fields here name: t1-adm-ns1 Sample config
Team NS Hierarchical Namespace Controller • Propagates policy objects from parents to children • Hardcoded list in v0.1 (Nov), aim to be configurable in v0.3 (early 2020) • Self-service subnamespaces • No need for cluster-level privileges to create subnamespaces • Hierarchical authz checks • “Subadmins” cannot deprive “superadmins” of access • Integrations via K8s labels • Namespaces receive labels indicating the subtrees they’re in. Org NS Service 1 NS Service 2 NS SRE RBAC Network Policy SRE RBAC Network Policy Dev RBAC Team secrets SRE RBAC Network Policy Dev RBAC Team secrets SRE RBAC Network Policy Dev RBAC Team secrets Original objects Propagated objects Hierarchical config Hierarchical configHierarchical config
Virtual Kubernetes Clusters Model Virtual Cluster Architecture Proposal; F Guo et al; Alibaba Cloud
Tenant Operator + Virtual Cluster + HNC (optional)
Data plane and Benchmarking
Multitenancy Benchmarks • Goals: validate whether multi-tenancy has been achieved, independently of how its configured • Decouple how multi-tenancy is provisioned and managed from the desired state. • Define the desired states for multi-tenancy • Provide automated tests for validating the desired states MT Profile Level Intent Level 1 Uses K8s API objects; can be manually configured; limited tenancy features Level 2 Level 1 + allow extensions for self-service DevOps i.e. namespace creation, etc. Level 3 Level 2 + ability to create CRDs,etc. (virtual control plane)
• Categories: 1. Control Plane Isolation (CPI) 2. Tenant Isolation (TI) 3. Network Isolation (NI) 4. Host Isolation (HI) 5. Data Isolation (DI) 6. Fairness (FNS) 7. Self-Service Operations (OPS) • Formatted similar to CIS benchmarks • Test suite implemented using k8s e2e tests framework • Open development model: community submits PRs for candidate benchmark tests and implementations Benchmark Categories & Formal Definition
• Profile Applicability: • Level 1 • Type: • Behavioral Check • Category: • Control Plane Isolation • Description: • Tenants should not be able to … • Rationale: • Tenants should not be able to access control plane resources ... Example: MTB-PL1-CC-CPI-1 • Audit: • Run the following commands to retrieve the list of non-namespaced resources: • kubectl --kubeconfig cluster-admin api- resources --namespaced=false For all non- namespaced resources, and each verb (get, list, create, update, patch, watch, delete, and deletecollection) issue the following commands: • kubectl --kubeconfig tenant-a auth can-i <verb> <resource> Each command must return 'no'
Example Baseline Reference Implementation: • Control Plane: • Namespace Grouping Model (Tenant Operator based) • Data Plane: • containerD/ CRI-O runtime • Container sandboxing • Pod Security Policy (+Apparmor, Seccomp) • Kata containers • K8s Network Policy • (CNI vendor specific) Global Network Policy • Supported by Calico, Cisco ACI, Cilium, (others ?) • Dynamic policy admission controller/ framework • Open Policy Agent/ Gatekeeper/ Kyverno/ K-rail ..
Network Policy: Global Policy + K8s Policy • Current K8s Network Policy is namespace scoped only non-ideal for Multi-tenancy • Recommendation: Use a combo of K8s Network Policy + (CNI-specific) Global Network Policy • Global Network Policy: Tool for Cluster Admin to isolate tenants • K8s Network Policy: Developers, Devops use for micro-segmentation Tenant-1 Tenant-2 Global nw policy rule For tenant isolation K8s nw policy rules for App team microsegmentation
--- kind: GlobalNetworkPolicy apiVersion: crd.projectcalico.org/v1 metadata: name: isolate-tenant-1 spec: types: - Ingress - Egress Global Network Policy Calico v3.7 (demo only) example (ps. use Calico 3.10 namespaceselector for better rule options) order: 10 ingress: - action: Deny source: namespaceSelector: tenant != 't1' destination: namespaceSelector: tenant == 't1' - action: Allow egress: - action: Deny source: namespaceSelector: tenant == 't1' destination: namespaceSelector: tenant != 't1' - action: Allow
Profile 1: Basic • Secure by default Kubernetes configuration • Disable anonymous authentication • Disable ABAC, disable local authorization, • K8S secrets encryption enabled • CIS Kubernetes benchmarks Level 2 requirements • Enable RBAC • Recommended default set of admission controllers (NodeRestriction, AlwaysPullImages, PodSecurityPolicy etc) • Pod Admission controller (PodSecurityPolicy) • CNI Container Network Policy enabled including ingress and egress policies • Docker run-time with Seccomp, AppArmor/ SELinux default profiles • Best effort multi-tenancy for services (monitoring, logging etc) Sample Cluster Setup Reference Configurations Profile 2: • Profile 1 + additional required enhancements including: • Dynamic policy engine (e.g. OPA) based enhancement for • Access control/ RBAC • Admission control (beyond Pod Security policies) • Advanced policy controls (e.g. ingress route policies) • Newer container runtimes & runtime sandboxing options (CRI-O, containerD w/ Kata runtime, Firecracker/ gVisor) • Complete solution for multi-tenancy across monitoring, logging, storage, service mesh .. • Tenancy across Multi-cluster, multi-cloud
Demo
Where to find us • Home page: https://github.com/kubernetes-sigs/multi-tenancy/ • https://github.com/kubernetes/community/tree/master/wg- multitenancy • Slack channel: Kubernetes Slack, #wg-multitenancy • Google Group: https://groups.google.com/forum/#!forum/kubernetes- wg-multitenancy • Bi-weekly meeting (join google group for invite) • Tuesday 11am Pacific Time
WG leads • Project leads • @Adrian Ludwin • Hierarchical Namespace Controller (“HNC,”) • Software Engineer @ Google • @Fei Guo • Virtual Clusters, Tenant Controller • Software Engineer @ Alibaba • @Jim Bugwadia • Multi-tenancy Benchmarks • Founder & CEO at Nirmata • Chairs • @tasha • Tasha Drew, Product Line Manager @ VMware • @srampal • Sanjeev Rampal, Principal Engineer @ Cisco

More Related Content

What's hot

Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
Akihiro Suda
 
Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18
CodeOps Technologies LLP
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Kubernetes
KubernetesKubernetes
Kubernetes
Meng-Ze Lee
 
Why to Cloud Native
Why to Cloud NativeWhy to Cloud Native
Why to Cloud Native
Karthik Gaekwad
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
Raphaël PINSON
 
Kubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceKubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistence
Janakiram MSV
 
コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門
Kohei Tokunaga
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
Kuberneteの運用を支えるGitOps
Kuberneteの運用を支えるGitOpsKuberneteの運用を支えるGitOps
Kuberneteの運用を支えるGitOps
shunki fujiwara
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Cluster-as-code. The Many Ways towards Kubernetes
Cluster-as-code. The Many Ways towards KubernetesCluster-as-code. The Many Ways towards Kubernetes
Cluster-as-code. The Many Ways towards Kubernetes
QAware GmbH
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory Guide
Bytemark
 
NGINX Back to Basics: Ingress Controller (Japanese Webinar)
NGINX Back to Basics: Ingress Controller (Japanese Webinar)NGINX Back to Basics: Ingress Controller (Japanese Webinar)
NGINX Back to Basics: Ingress Controller (Japanese Webinar)
NGINX, Inc.
 
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioTHE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
DevOpsDays Tel Aviv
 
猿でもわかる Helm
猿でもわかる Helm猿でもわかる Helm
猿でもわかる Helm
Tsuyoshi Miyake
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
Winton Winton
 

What's hot (20)

Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
 
Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Why to Cloud Native
Why to Cloud NativeWhy to Cloud Native
Why to Cloud Native
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
 
Kubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceKubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistence
 
コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
 
Kuberneteの運用を支えるGitOps
Kuberneteの運用を支えるGitOpsKuberneteの運用を支えるGitOps
Kuberneteの運用を支えるGitOps
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Cluster-as-code. The Many Ways towards Kubernetes
Cluster-as-code. The Many Ways towards KubernetesCluster-as-code. The Many Ways towards Kubernetes
Cluster-as-code. The Many Ways towards Kubernetes
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory Guide
 
NGINX Back to Basics: Ingress Controller (Japanese Webinar)
NGINX Back to Basics: Ingress Controller (Japanese Webinar)NGINX Back to Basics: Ingress Controller (Japanese Webinar)
NGINX Back to Basics: Ingress Controller (Japanese Webinar)
 
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioTHE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
 
猿でもわかる Helm
猿でもわかる Helm猿でもわかる Helm
猿でもわかる Helm
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 

Similar to Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive

Kubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security SummitKubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
Sanjeev Rampal
 
Operationalizing Amazon EKS
Operationalizing Amazon EKSOperationalizing Amazon EKS
Operationalizing Amazon EKS
Jim Bugwadia
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOps
Jim Bugwadia
 
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdfImplementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
ssuserf4844f
 
Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes Management
DevOps.com
 
Meetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on KubernetesMeetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on Kubernetes
dtoledo67
 
Hybrid cloud openstack meetup
Hybrid cloud openstack meetupHybrid cloud openstack meetup
Hybrid cloud openstack meetup
dfilppi
 
Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018
Jim Bugwadia
 
AllTheTalks 2020: "The Past, Present, and Future of Cloud Native API Gateways"
AllTheTalks 2020: "The Past, Present, and Future of Cloud Native API Gateways"AllTheTalks 2020: "The Past, Present, and Future of Cloud Native API Gateways"
AllTheTalks 2020: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
SoftwareCircus 2020 "The Past, Present, and Future of Cloud Native API Gateways"
SoftwareCircus 2020 "The Past, Present, and Future of Cloud Native API Gateways"SoftwareCircus 2020 "The Past, Present, and Future of Cloud Native API Gateways"
SoftwareCircus 2020 "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
Stfalcon Meetups
 
Virtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSVirtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKS
Jim Bugwadia
 
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Altinity Ltd
 
Building a Kubernetes cluster for a large organisation 101
Building a Kubernetes cluster for a large organisation 101Building a Kubernetes cluster for a large organisation 101
Building a Kubernetes cluster for a large organisation 101
Ed Schouten
 
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
Demystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOpsDemystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOps
Jim Bugwadia
 
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOpsKubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
RightScale
 
kubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdfkubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdf
bchiriamina2
 
How we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on KubernetesHow we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on Kubernetes
Opsta
 
DevOpsCon 2020: The Past, Present, and Future of Cloud Native API Gateways
DevOpsCon 2020: The Past, Present, and Future of Cloud Native API GatewaysDevOpsCon 2020: The Past, Present, and Future of Cloud Native API Gateways
DevOpsCon 2020: The Past, Present, and Future of Cloud Native API Gateways
Daniel Bryant
 

Similar to Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive (20)

Kubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security SummitKubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
 
Operationalizing Amazon EKS
Operationalizing Amazon EKSOperationalizing Amazon EKS
Operationalizing Amazon EKS
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOps
 
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdfImplementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
 
Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes Management
 
Meetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on KubernetesMeetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on Kubernetes
 
Hybrid cloud openstack meetup
Hybrid cloud openstack meetupHybrid cloud openstack meetup
Hybrid cloud openstack meetup
 
Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018
 
AllTheTalks 2020: "The Past, Present, and Future of Cloud Native API Gateways"
AllTheTalks 2020: "The Past, Present, and Future of Cloud Native API Gateways"AllTheTalks 2020: "The Past, Present, and Future of Cloud Native API Gateways"
AllTheTalks 2020: "The Past, Present, and Future of Cloud Native API Gateways"
 
SoftwareCircus 2020 "The Past, Present, and Future of Cloud Native API Gateways"
SoftwareCircus 2020 "The Past, Present, and Future of Cloud Native API Gateways"SoftwareCircus 2020 "The Past, Present, and Future of Cloud Native API Gateways"
SoftwareCircus 2020 "The Past, Present, and Future of Cloud Native API Gateways"
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
 
Virtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSVirtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKS
 
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
 
Building a Kubernetes cluster for a large organisation 101
Building a Kubernetes cluster for a large organisation 101Building a Kubernetes cluster for a large organisation 101
Building a Kubernetes cluster for a large organisation 101
 
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
 
Demystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOpsDemystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOps
 
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOpsKubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
 
kubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdfkubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdf
 
How we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on KubernetesHow we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on Kubernetes
 
DevOpsCon 2020: The Past, Present, and Future of Cloud Native API Gateways
DevOpsCon 2020: The Past, Present, and Future of Cloud Native API GatewaysDevOpsCon 2020: The Past, Present, and Future of Cloud Native API Gateways
DevOpsCon 2020: The Past, Present, and Future of Cloud Native API Gateways
 

More from Sanjeev Rampal

Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
cilium-public.pdf
cilium-public.pdfcilium-public.pdf
cilium-public.pdf
Sanjeev Rampal
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
Sanjeev Rampal
 
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Sanjeev Rampal
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Sanjeev Rampal
 
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Sanjeev Rampal
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMs
Sanjeev Rampal
 
NYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on DockerNYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on Docker
Sanjeev Rampal
 

More from Sanjeev Rampal (8)

Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
cilium-public.pdf
cilium-public.pdfcilium-public.pdf
cilium-public.pdf
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
 
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
 
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMs
 
NYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on DockerNYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on Docker
 

Recently uploaded

Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
Aurora Consulting
 
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsMYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
Linda Zhang
 
How Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global ScaleHow Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global Scale
ScyllaDB
 
7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
Enterprise Wired
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
Edge AI and Vision Alliance
 
Coordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar SlidesCoordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar Slides
Safe Software
 
K2G - Insurtech Innovation EMEA Award 2024
K2G - Insurtech Innovation EMEA Award 2024K2G - Insurtech Innovation EMEA Award 2024
K2G - Insurtech Innovation EMEA Award 2024
The Digital Insurer
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real worldImplementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
What's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdfWhat's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdf
SeasiaInfotech2
 
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
amitchopra0215
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
Vijayananda Mohire
 
Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...
BookNet Canada
 
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALLBLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
Liveplex
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
@Call @Girls Guwahati 🚒 XXXXXXXXXX 🚒 Priya Sharma Beautiful And Cute Girl any...
@Call @Girls Guwahati 🚒 XXXXXXXXXX 🚒 Priya Sharma Beautiful And Cute Girl any...@Call @Girls Guwahati 🚒 XXXXXXXXXX 🚒 Priya Sharma Beautiful And Cute Girl any...
@Call @Girls Guwahati 🚒 XXXXXXXXXX 🚒 Priya Sharma Beautiful And Cute Girl any...
kantakumariji156
 
The Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU CampusesThe Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU Campuses
Larry Smarr
 
HTTP Adaptive Streaming – Quo Vadis (2024)
HTTP Adaptive Streaming – Quo Vadis (2024)HTTP Adaptive Streaming – Quo Vadis (2024)
HTTP Adaptive Streaming – Quo Vadis (2024)
Alpen-Adria-Universität
 
20240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 202420240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 2024
Matthew Sinclair
 

Recently uploaded (20)

Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
 
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsMYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
 
How Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global ScaleHow Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global Scale
 
7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
 
Coordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar SlidesCoordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar Slides
 
K2G - Insurtech Innovation EMEA Award 2024
K2G - Insurtech Innovation EMEA Award 2024K2G - Insurtech Innovation EMEA Award 2024
K2G - Insurtech Innovation EMEA Award 2024
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real worldImplementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real world
 
What's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdfWhat's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdf
 
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
 
Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...
 
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALLBLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
@Call @Girls Guwahati 🚒 XXXXXXXXXX 🚒 Priya Sharma Beautiful And Cute Girl any...
@Call @Girls Guwahati 🚒 XXXXXXXXXX 🚒 Priya Sharma Beautiful And Cute Girl any...@Call @Girls Guwahati 🚒 XXXXXXXXXX 🚒 Priya Sharma Beautiful And Cute Girl any...
@Call @Girls Guwahati 🚒 XXXXXXXXXX 🚒 Priya Sharma Beautiful And Cute Girl any...
 
The Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU CampusesThe Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU Campuses
 
HTTP Adaptive Streaming – Quo Vadis (2024)
HTTP Adaptive Streaming – Quo Vadis (2024)HTTP Adaptive Streaming – Quo Vadis (2024)
HTTP Adaptive Streaming – Quo Vadis (2024)
 
20240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 202420240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 2024
 

Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive

  • 2. Sanjeev Rampal Principal Engineer Cisco Systems Adrian Ludwin Google Cloud Secure Multitenancy In Kubernetes
  • 3. • Overview and Architecture • What is Kubernetes Multitenancy ? • Architectural models for Multitenancy • Community initiatives: Multitenancy control plane • Tenant controller & namespace grouping • Hierarchical namespaces • Virtual clusters • Community initiatives: Data plane and benchmarking • Benchmarking • Data plane models • Demo • Q & A Agenda
  • 5. • What is it ? • Ability to share a Kubernetes cluster between multiple independent teams • Why is it useful ? • Improved resource efficiencies (esp when move to containers on BM) • Reduced cluster sprawl • Lower capex and opex for the cluster operator • Resource usage burstability -> Higher application performance • Essentially a bin-packing & statistical multiplexing problem • Potential challenges • Kubernetes not designed for Multitenancy at its core • Unlike say Openstack, there are no core K8s resources for ”Users”, “Tenants”, “Projects” • Wide spectrum of loosely defined scenarios and potential use case • Defining “Standardization” vs best practice vs implementation choice What is Kubernetes Multitenancy ?
  • 6. The community feels this area needs work • The New Stack poll (newstack.io November 2019)
  • 7. • Categories of Multitenancy (high level use cases) • “Soft” Multitenancy • Ex. Multiple teams within the same enterprise sharing a K8S cluster • “Hard” Multitenancy • Ex. Service provider hosting multiple independent tenants on a shared cluster • “Coke & Pepsi on the same K8s cluster” • Other • SaaS multitenancy What is Kubernetes Multitenancy ? …
  • 8. • Available solutions 1. Community Kubernetes + DIY solution using namespaces, network policies etc 2. Vendor/ commercial distributions with features built on these • E.g. Openshift “Projects”, Rancher “Projects” 3. Emerging community initiatives tracked within K8s Multitenancy Working group & others What is Kubernetes Multitenancy ? …
  • 9. Architectural Models VM VM VM Hypervisor k8s1 k8s2 k8s3 IaaS ex. vSphere k8s cluster mgmt T1 T2 T3 BM BM BM BM BM BMBMBM ns1 ns2 ns3 ns-a ns-b ns-x ns-y K8S T1 T2 T3 Super K8S BM BM BM BM k8s1 k8s2 k8s3 T1 T2 T3 BM BMBMBM K8S T1 T2 T3 A B C D
  • 10. Architecture Options Multitenancy Architecture Model Resource efficiency Level of Tenant isolation Tenant/ application Config restrictions All “Cloud Native” architecture Architecture maturity & production readiness A: Multiple K8S clusters on top of a Virtualization IaaS Low- medium High No No (multiple separate platforms, orch.) Medium-High B: Namespace grouping with Tenant resources High Medium- High Some restrictions eg cluster scoped rescs. Yes Medium C: Virtual Kubernetes Clusters High High No (?) Yes Early D: Core Kubernetes change (Tenant as 1st class resource) High High No (?) Yes (in theory) Very low (design does not exist)
  • 11. Mapping Tenants, Applications, Services Tenant-1 Application-1 Namespace-1 S1 S2 S3 Tenant-1 Application-1 N1 S1 S2 S3 N2 N3 Tenant-1 Application-1 N1 S1 S2 S3 N2 Virtual Cluster1 Application-2 S4 N3 N4 N5 N6 1 tenant <> 1 app <> 1 NS (M micro-services all in 1 NS) Need to resolve naming conflicts 1 tenant <> 1 app <> M NS (1 service per NS) Better service portability 1 tenant <> M apps <> mix of H-NSs & VCs
  • 12. Tenant vs Application Security Responsibility Model Tenant-A resources Tenant-B resources Cluster control Plane resources (k8s, monitoring etc) Cluster and provider infrastructure resources Application Security tools e.g. Aqua
  • 14. Operational Model: Personas and workflows Cluster-admin provisions K8S cluster with 1 (of N) recommended security profiles Cluster-admin provisions Tenant template and Namespace template objects Cluster-admin Tenant-admin Tenant-user Tenant-admin provisions a new tenant referring to these templates Tenant-admin provisions access controls for the new tenant including other admins & non-admin user RBAC Tenant-user provisions namespace scoped k8s resources within tenant Tenant-admin performs CRUD operations and tenant life cycle mgmt. on the tenant resource itself
  • 15. Tenant Operator Model • Self-service or Admin- provisioned Tenants • Each Tenant-CR manages a collection of namespaces, virtual clusters and associated resources via corresponding CRs that eventually own those K8s resouces • Named admins + named resource RBAC
  • 16. apiVersion: tenancy.x-k8s.io/v1alpha1 kind: Tenant metadata: labels: controller-tools.k8s.io: "1.0" name: tenant-t1 spec: tenantAdminNamespaceName: t1-adm requireNamespacePrefix: true tenantAdmins: - kind: ServiceAccount name: t1-user1 namespace: default apiVersion: tenancy.x-k8s.io/v1alpha1 kind: TenantNamespace metadata: labels: controller-tools.k8s.io: "1.0" name: tns-t1-n1 namespace: t1-adm spec: # Add fields here name: t1-adm-ns1 Sample config
  • 17. Team NS Hierarchical Namespace Controller • Propagates policy objects from parents to children • Hardcoded list in v0.1 (Nov), aim to be configurable in v0.3 (early 2020) • Self-service subnamespaces • No need for cluster-level privileges to create subnamespaces • Hierarchical authz checks • “Subadmins” cannot deprive “superadmins” of access • Integrations via K8s labels • Namespaces receive labels indicating the subtrees they’re in. Org NS Service 1 NS Service 2 NS SRE RBAC Network Policy SRE RBAC Network Policy Dev RBAC Team secrets SRE RBAC Network Policy Dev RBAC Team secrets SRE RBAC Network Policy Dev RBAC Team secrets Original objects Propagated objects Hierarchical config Hierarchical configHierarchical config
  • 18. Virtual Kubernetes Clusters Model Virtual Cluster Architecture Proposal; F Guo et al; Alibaba Cloud
  • 19. Tenant Operator + Virtual Cluster + HNC (optional)
  • 20. Data plane and Benchmarking
  • 21. Multitenancy Benchmarks • Goals: validate whether multi-tenancy has been achieved, independently of how its configured • Decouple how multi-tenancy is provisioned and managed from the desired state. • Define the desired states for multi-tenancy • Provide automated tests for validating the desired states MT Profile Level Intent Level 1 Uses K8s API objects; can be manually configured; limited tenancy features Level 2 Level 1 + allow extensions for self-service DevOps i.e. namespace creation, etc. Level 3 Level 2 + ability to create CRDs,etc. (virtual control plane)
  • 22. • Categories: 1. Control Plane Isolation (CPI) 2. Tenant Isolation (TI) 3. Network Isolation (NI) 4. Host Isolation (HI) 5. Data Isolation (DI) 6. Fairness (FNS) 7. Self-Service Operations (OPS) • Formatted similar to CIS benchmarks • Test suite implemented using k8s e2e tests framework • Open development model: community submits PRs for candidate benchmark tests and implementations Benchmark Categories & Formal Definition
  • 23. • Profile Applicability: • Level 1 • Type: • Behavioral Check • Category: • Control Plane Isolation • Description: • Tenants should not be able to … • Rationale: • Tenants should not be able to access control plane resources ... Example: MTB-PL1-CC-CPI-1 • Audit: • Run the following commands to retrieve the list of non-namespaced resources: • kubectl --kubeconfig cluster-admin api- resources --namespaced=false For all non- namespaced resources, and each verb (get, list, create, update, patch, watch, delete, and deletecollection) issue the following commands: • kubectl --kubeconfig tenant-a auth can-i <verb> <resource> Each command must return 'no'
  • 24. Example Baseline Reference Implementation: • Control Plane: • Namespace Grouping Model (Tenant Operator based) • Data Plane: • containerD/ CRI-O runtime • Container sandboxing • Pod Security Policy (+Apparmor, Seccomp) • Kata containers • K8s Network Policy • (CNI vendor specific) Global Network Policy • Supported by Calico, Cisco ACI, Cilium, (others ?) • Dynamic policy admission controller/ framework • Open Policy Agent/ Gatekeeper/ Kyverno/ K-rail ..
  • 25. Network Policy: Global Policy + K8s Policy • Current K8s Network Policy is namespace scoped only non-ideal for Multi-tenancy • Recommendation: Use a combo of K8s Network Policy + (CNI-specific) Global Network Policy • Global Network Policy: Tool for Cluster Admin to isolate tenants • K8s Network Policy: Developers, Devops use for micro-segmentation Tenant-1 Tenant-2 Global nw policy rule For tenant isolation K8s nw policy rules for App team microsegmentation
  • 26. --- kind: GlobalNetworkPolicy apiVersion: crd.projectcalico.org/v1 metadata: name: isolate-tenant-1 spec: types: - Ingress - Egress Global Network Policy Calico v3.7 (demo only) example (ps. use Calico 3.10 namespaceselector for better rule options) order: 10 ingress: - action: Deny source: namespaceSelector: tenant != 't1' destination: namespaceSelector: tenant == 't1' - action: Allow egress: - action: Deny source: namespaceSelector: tenant == 't1' destination: namespaceSelector: tenant != 't1' - action: Allow
  • 27. Profile 1: Basic • Secure by default Kubernetes configuration • Disable anonymous authentication • Disable ABAC, disable local authorization, • K8S secrets encryption enabled • CIS Kubernetes benchmarks Level 2 requirements • Enable RBAC • Recommended default set of admission controllers (NodeRestriction, AlwaysPullImages, PodSecurityPolicy etc) • Pod Admission controller (PodSecurityPolicy) • CNI Container Network Policy enabled including ingress and egress policies • Docker run-time with Seccomp, AppArmor/ SELinux default profiles • Best effort multi-tenancy for services (monitoring, logging etc) Sample Cluster Setup Reference Configurations Profile 2: • Profile 1 + additional required enhancements including: • Dynamic policy engine (e.g. OPA) based enhancement for • Access control/ RBAC • Admission control (beyond Pod Security policies) • Advanced policy controls (e.g. ingress route policies) • Newer container runtimes & runtime sandboxing options (CRI-O, containerD w/ Kata runtime, Firecracker/ gVisor) • Complete solution for multi-tenancy across monitoring, logging, storage, service mesh .. • Tenancy across Multi-cluster, multi-cloud
  • 28. Demo
  • 29. Where to find us • Home page: https://github.com/kubernetes-sigs/multi-tenancy/ • https://github.com/kubernetes/community/tree/master/wg- multitenancy • Slack channel: Kubernetes Slack, #wg-multitenancy • Google Group: https://groups.google.com/forum/#!forum/kubernetes- wg-multitenancy • Bi-weekly meeting (join google group for invite) • Tuesday 11am Pacific Time
  • 30. WG leads • Project leads • @Adrian Ludwin • Hierarchical Namespace Controller (“HNC,”) • Software Engineer @ Google • @Fei Guo • Virtual Clusters, Tenant Controller • Software Engineer @ Alibaba • @Jim Bugwadia • Multi-tenancy Benchmarks • Founder & CEO at Nirmata • Chairs • @tasha • Tasha Drew, Product Line Manager @ VMware • @srampal • Sanjeev Rampal, Principal Engineer @ Cisco