Bug 1373366

Summary: [DOCS] Restrict certain pvs only for a given tenant
Product: OpenShift Container Platform Reporter: Jaspreet Kaur <jkaur>
Component: DocumentationAssignee: Gaurav Nelson <gnelson>
Status: CLOSED CURRENTRELEASE QA Contact: Jianwei Hou <jhou>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.2.0CC: aos-bugs, dmcphers, eboyd, erich, jkaur, jokerman, mmccomas, swatt
Target Milestone: ---Flags: gnelson: needinfo? (jkaur)
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: 3.7-release-plan
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-03 01:56:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jaspreet Kaur 2016-09-06 06:24:25 UTC 
1. What is the nature and description of the request?
Each of our on-boarded tenant orders storage separately and pays for this storage. In  our multi-tenant env, if I have a total of 4 pvs (for eg, a,b, c,d). I want to make sure that tenant1 can use only volumes a and b while tenant2 can only use volumes c and d.
We want to ensure that we can do some capacity management on these lines. To do so, we will already enforce quotas. In addition to this, we are labelling volumes to identify them with tenants that are onboarded on our platform.
We now need to be able to restrict, the tenants to use the volumes which are meant only for them. Using only label selectors is not sufficient for us as we cannot really enforce the tenants to use them. If they do not use the label selectors, they can still manage to get claims on volumes which were not meant for them, This is something we want to completely avoid.

2. Why is this needed? (List the business requirements here)
Capacity management (details explained above)

3. How would you like to achieve this? (List the functional requirements here)
May be using some sort of auth. policy?

4. Is there a specific timeline dependencies?
asap

5. Are you able to assist in testing this functionality if implemented?
yes
Comment 2 Jan Safranek 2016-09-16 12:08:23 UTC 
This sounds like ACL to me, adding Erin to cc:. So far we assumed that ACLs would be namespace-based, maybe we should considers tenants too.
Comment 3 Steve Watt 2017-02-09 17:37:50 UTC 
Access to be able to provision storage is provided via Storage Classes. In order to ensure one tenant (OpenShift project or Kubernetes Namespace) can use a particular Storage Class while another can not, we use quotas. This feature will be available in OpenShift 3.5.
Comment 4 Erin Boyd 2017-02-09 18:30:05 UTC 
Storage quotas won't be in until 3.6. In addition it allows multiple namespaces to consume/provision storage from the class.
Comment 5 Erin Boyd 2017-02-09 18:32:08 UTC 
@Jan you are correct in that it's restricted via namespace and not to specific users in that namespace
Comment 6 Erin Boyd 2017-02-09 20:12:21 UTC 
I am sorry, I wanted to provide better clarification.

I am assuming tenant to be user, and I believe you mean tenant to be groups of users in a namespace. Is this accurate?

If so, storage class quotas will be the correct way to limit this. Since they are a  global resource they are created by the admin and then granted usage via the quota.

This feature will be available in 3.6. Here is how they will be defined:
apiVersion: v1
kind: ResourceQuota
metadata:
  name: storage-quota
spec:
  hard:
    requests.storage: 100Gi
    persistentvolumeclaims: 100
    gold.storage-class.kubernetes.io/requests.storage: 3Gi
    gold.storage-class.kubernetes.io/persistentvolumeclaims: 5
    bronze.storage-class.kubernetes.io/requests.storage: 0
    bronze.storage-class.kubernetes.io/persistentvolumeclaims: 0

So, notice how I set the bronze class to 0, therefore this namespace will not be able to create claims against that class.
Comment 9 Gaurav Nelson 2017-08-29 04:35:14 UTC 
I have updated the Quota example to include these details, see PR https://github.com/openshift/openshift-docs/pull/5114
Comment 10 Gaurav Nelson 2017-09-06 00:07:07 UTC 
Jaspreet Kaur Can you please check the PR. I have added the explanations along with the example we already have.
Comment 11 Gaurav Nelson 2017-09-18 02:11:49 UTC 
@Jianwei Hou Can you please check this one?
Comment 12 Jianwei Hou 2017-09-18 07:06:43 UTC 
Verified the quota example is updated in our documentations.
Comment 13 openshift-github-bot 2017-09-27 02:18:48 UTC 
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/8a20eccc8f75991f68d0d30e5e02204a8a758380
Merge pull request #5114 from gaurav-nelson/Bug1373366Fixes

Bug#1373366 - Restrict certain pvs only for a given tenant - Fixes
Comment 14 Gaurav Nelson 2017-10-03 01:56:01 UTC 
Updates are live at https://docs.openshift.com/container-platform/3.6/admin_guide/quota.html