Hide Forgot
1. What is the nature and description of the request? Each of our on-boarded tenant orders storage separately and pays for this storage. In our multi-tenant env, if I have a total of 4 pvs (for eg, a,b, c,d). I want to make sure that tenant1 can use only volumes a and b while tenant2 can only use volumes c and d. We want to ensure that we can do some capacity management on these lines. To do so, we will already enforce quotas. In addition to this, we are labelling volumes to identify them with tenants that are onboarded on our platform. We now need to be able to restrict, the tenants to use the volumes which are meant only for them. Using only label selectors is not sufficient for us as we cannot really enforce the tenants to use them. If they do not use the label selectors, they can still manage to get claims on volumes which were not meant for them, This is something we want to completely avoid. 2. Why is this needed? (List the business requirements here) Capacity management (details explained above) 3. How would you like to achieve this? (List the functional requirements here) May be using some sort of auth. policy? 4. Is there a specific timeline dependencies? asap 5. Are you able to assist in testing this functionality if implemented? yes
This sounds like ACL to me, adding Erin to cc:. So far we assumed that ACLs would be namespace-based, maybe we should considers tenants too.
Access to be able to provision storage is provided via Storage Classes. In order to ensure one tenant (OpenShift project or Kubernetes Namespace) can use a particular Storage Class while another can not, we use quotas. This feature will be available in OpenShift 3.5.
Storage quotas won't be in until 3.6. In addition it allows multiple namespaces to consume/provision storage from the class.
@Jan you are correct in that it's restricted via namespace and not to specific users in that namespace
I am sorry, I wanted to provide better clarification. I am assuming tenant to be user, and I believe you mean tenant to be groups of users in a namespace. Is this accurate? If so, storage class quotas will be the correct way to limit this. Since they are a global resource they are created by the admin and then granted usage via the quota. This feature will be available in 3.6. Here is how they will be defined: apiVersion: v1 kind: ResourceQuota metadata: name: storage-quota spec: hard: requests.storage: 100Gi persistentvolumeclaims: 100 gold.storage-class.kubernetes.io/requests.storage: 3Gi gold.storage-class.kubernetes.io/persistentvolumeclaims: 5 bronze.storage-class.kubernetes.io/requests.storage: 0 bronze.storage-class.kubernetes.io/persistentvolumeclaims: 0 So, notice how I set the bronze class to 0, therefore this namespace will not be able to create claims against that class.
I have updated the Quota example to include these details, see PR https://github.com/openshift/openshift-docs/pull/5114
Jaspreet Kaur Can you please check the PR. I have added the explanations along with the example we already have.
@Jianwei Hou Can you please check this one?
Verified the quota example is updated in our documentations.
Commit pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/8a20eccc8f75991f68d0d30e5e02204a8a758380 Merge pull request #5114 from gaurav-nelson/Bug1373366Fixes Bug#1373366 - Restrict certain pvs only for a given tenant - Fixes
Updates are live at https://docs.openshift.com/container-platform/3.6/admin_guide/quota.html