📖 Namespace separation proposal #11691
Conversation
k8s-ci-robot
added
kind/documentation
k8s-ci-robot
added
needs-ok-to-test
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @marek-veber. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
thanks @marek-veber , the design makes sense to me, i have some questions about various details.
a provisioning cluster which is provisioned cluster at the same time
also, i'm finding this phrase to be slightly confusing, is there a clearer way to state it?
|
|
||
| ## Motivation | ||
| Our motivation is to have a provisioning cluster which is provisioned cluster at the same time while using hierarchical structure of clusters. | ||
| Two namespaces are used by management cluster and the rest of namespaces are watched by CAPI manager to manage other managed clusters. |
There was a problem hiding this comment.
i think these sentences could be a little clearer, i'm not fully understanding the motivation.
| * https://github.com/kubernetes-sigs/cluster-api/issues/11193 | ||
|
|
||
| ### Goals | ||
| We need to extend the existing feature to limit watching on specified namespace. |
There was a problem hiding this comment.
just to be clear this is extending the existing feature for supporting multiple instances of cluster-api?
There was a problem hiding this comment.
I think it's extending the existing --namespace option to allow more than 1 namespace to be watched, like L95 of this document.
| We need to extend the existing feature to limit watching on specified namespace. | ||
| We need to run multiple CAPI controller instances: | ||
| - each watching only specified namespaces: `capi1-system`, …, `capi$(N-1)-system` | ||
| - and the last resort instance to watch the rest of namespaces excluding the namespaces already watched by previously mentioned instances |
There was a problem hiding this comment.
is there prior art on cluster-api controllers watching multiple namespaces? (just curious)
There was a problem hiding this comment.
https://github.com/kubernetes-sigs/cluster-api/blob/main/main.go#L170-L171 shows that we can take in a single namespace, which eventually gets specified as a controller-runtime cache.Option.DefaultNamespaces option (https://github.com/kubernetes-sigs/cluster-api/blob/main/main.go#L346).
The documentation for that field (https://github.com/kubernetes-sigs/controller-runtime/blob/main/pkg/cache/cache.go#L182-L193) implies to me that multiple namespaces are supported, but I'm not familiar with the implementation, and I know that somewhat recently @sbueringer and @fabriziopandini put a lot of effort into making sure caching was optimized.
As I understand things right now, CAPI's controllers will watch either 1 namespace or all namespaces. Watching a number of namespaces between those two extremes is either not supported or well understood right now, based on my interpretation of what was said in the community meeting.
| ``` | ||
|
|
||
| ### User Stories | ||
| We need to deploy two CAPI instances in the same cluster and divide the list of namespaces to assign some well known namespaces to be watched from the first instance and rest of them to assign to the second instace. |
There was a problem hiding this comment.
this user story helps me to understand the motivation a little better, it might be nice to have some of this language in that section too.
| ### User Stories | ||
| We need to deploy two CAPI instances in the same cluster and divide the list of namespaces to assign some well known namespaces to be watched from the first instance and rest of them to assign to the second instace. | ||
|
|
||
| #### Story 1 - RedHat Hierarchical deployment using CAPI |
There was a problem hiding this comment.
i don't think this is specific to Red Hat, it seems anyone who is doing this type of heirarchical deployment could gain benefit from this enhancement.
i do think it's nice to include the links to the Red Hat jiras.
| A service account will be created for each namespace with CAPI instance. | ||
| In the simple deployment example we are considering that all CAPI-instances will share the one cluster role `capi-aggregated-manager-role` so all CAPI's service accounts will be bound using then cluster role binding `capi-manager-rolebinding`. | ||
| We can also use multiple cluster roles and grant the access more granular only to the namespaces watched by the instance. | ||
|
|
There was a problem hiding this comment.
will all the controllers use the same cloud credentials or will each namespace have its own cloud credentials?
|
I think overall the motivation behind this proposal should be something like "Enable adoption in advance multi tenant scenarios". Use case:
Paradigm 2: For both paradigms to coexist, paradigm 2 wants a way to restrict its scope and not be aware of CAPI resources owned by paradigm1. cc @fabriziopandini @sbueringer @serngawy I'm catching up with yesterday community call so wanted to share my thoughts on the topic. I agree with the concerns raised on the call. Thinks that I think could be explored: Use watchFilterValue |
| <!-- END doctoc generated TOC please keep comment here to allow auto update --> | ||
|
|
||
| ## Summary | ||
| We need to run multiple CAPI instances in one cluster and divide the namespaces to be watched by given instances. |
There was a problem hiding this comment.
lets add the ability to run a single CAPI instance that can watch group of namespaces OR exclude group of namespaces from been watched.
| * https://github.com/kubernetes-sigs/cluster-api/pull/11370 add the new commandline option `--excluded-namespace=<ns1, …>` | ||
|
|
||
| ## Motivation | ||
| Our motivation is to have a provisioning cluster which is provisioned cluster at the same time while using hierarchical structure of clusters. |
There was a problem hiding this comment.
Motivation:
For multi-tenant environment a cluster is used as provision-er using different CAPI providers.
Using CAPI requires careful consideration of namespace isolation to maintain security and operational boundaries between tenants. In such setups, it is essential to configure the CAPI controller instances to either watch or exclude specific groups of namespaces based on the isolation requirements. This can be achieved by setting up namespace-scoped controllers or applying filters, such as label selectors, to define the namespaces each instance should monitor. By doing so, administrators can ensure that the activities of one tenant do not interfere with others, while also reducing the resource overhead by limiting the scope of CAPI operations. This approach enhances scalability, security, and manageability, making it well-suited for environments with strict multi-tenancy requirements.
| - and the last resort instance to watch the rest of namespaces excluding the namespaces already watched by previously mentioned instances | ||
|
|
||
| This change is only a small and strait forward update of the existing feature to limit watching on specified namespace by commandline `--namespace <ns>` | ||
|
|
There was a problem hiding this comment.
Lets clarify the goal is to let the CAPI instance able to watch/exclude group of namespaces which will enhances the scalability, security, and manageability in multi tenant environment
|
/area provider/core |
k8s-ci-robot
added
area/provider/core
|
I like @enxebre's explanation of paradigms. As I've understood the goals, another way of stating 2 paradigms could be a CAPI install for self-managing the cluster (paradigm 1) and a CAPI install managing everything else that users may create (paradigm 2). In this scenario, the self-managing CAPI install wants to watch exactly 1 namespace (let's call it The CAPI installation for everything else, then, would like to watch all namespaces except |
What type of PR is this?:
/kind documentation
What this PR does / why we need it:
This PR serves as a starting point for the discussion about running multiple instances and defining which installation will watch which namespace.
See issues: