Bug 1373366 - [DOCS] Restrict certain pvs only for a given tenant [NEEDINFO]
Summary: [DOCS] Restrict certain pvs only for a given tenant
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Gaurav Nelson
QA Contact: Jianwei Hou
Vikram Goyal
URL:
Whiteboard: 3.7-release-plan
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-06 06:24 UTC by Jaspreet Kaur
Modified: 2021-03-11 14:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-03 01:56:01 UTC
Target Upstream Version:
gnelson: needinfo? (jkaur)


Attachments (Terms of Use)

Description Jaspreet Kaur 2016-09-06 06:24:25 UTC
1. What is the nature and description of the request?
Each of our on-boarded tenant orders storage separately and pays for this storage. In  our multi-tenant env, if I have a total of 4 pvs (for eg, a,b, c,d). I want to make sure that tenant1 can use only volumes a and b while tenant2 can only use volumes c and d.
We want to ensure that we can do some capacity management on these lines. To do so, we will already enforce quotas. In addition to this, we are labelling volumes to identify them with tenants that are onboarded on our platform.
We now need to be able to restrict, the tenants to use the volumes which are meant only for them. Using only label selectors is not sufficient for us as we cannot really enforce the tenants to use them. If they do not use the label selectors, they can still manage to get claims on volumes which were not meant for them, This is something we want to completely avoid.

2. Why is this needed? (List the business requirements here)
Capacity management (details explained above)

3. How would you like to achieve this? (List the functional requirements here)
May be using some sort of auth. policy?

4. Is there a specific timeline dependencies?
asap

5. Are you able to assist in testing this functionality if implemented?
yes

Comment 2 Jan Safranek 2016-09-16 12:08:23 UTC
This sounds like ACL to me, adding Erin to cc:. So far we assumed that ACLs would be namespace-based, maybe we should considers tenants too.

Comment 3 Steve Watt 2017-02-09 17:37:50 UTC
Access to be able to provision storage is provided via Storage Classes. In order to ensure one tenant (OpenShift project or Kubernetes Namespace) can use a particular Storage Class while another can not, we use quotas. This feature will be available in OpenShift 3.5.

Comment 4 Erin Boyd 2017-02-09 18:30:05 UTC
Storage quotas won't be in until 3.6. In addition it allows multiple namespaces to consume/provision storage from the class.

Comment 5 Erin Boyd 2017-02-09 18:32:08 UTC
@Jan you are correct in that it's restricted via namespace and not to specific users in that namespace

Comment 6 Erin Boyd 2017-02-09 20:12:21 UTC
I am sorry, I wanted to provide better clarification.

I am assuming tenant to be user, and I believe you mean tenant to be groups of users in a namespace. Is this accurate?

If so, storage class quotas will be the correct way to limit this. Since they are a  global resource they are created by the admin and then granted usage via the quota.

This feature will be available in 3.6. Here is how they will be defined:
apiVersion: v1
kind: ResourceQuota
metadata:
  name: storage-quota
spec:
  hard:
    requests.storage: 100Gi
    persistentvolumeclaims: 100
    gold.storage-class.kubernetes.io/requests.storage: 3Gi
    gold.storage-class.kubernetes.io/persistentvolumeclaims: 5
    bronze.storage-class.kubernetes.io/requests.storage: 0
    bronze.storage-class.kubernetes.io/persistentvolumeclaims: 0

So, notice how I set the bronze class to 0, therefore this namespace will not be able to create claims against that class.

Comment 9 Gaurav Nelson 2017-08-29 04:35:14 UTC
I have updated the Quota example to include these details, see PR https://github.com/openshift/openshift-docs/pull/5114

Comment 10 Gaurav Nelson 2017-09-06 00:07:07 UTC
Jaspreet Kaur Can you please check the PR. I have added the explanations along with the example we already have.

Comment 11 Gaurav Nelson 2017-09-18 02:11:49 UTC
@Jianwei Hou Can you please check this one?

Comment 12 Jianwei Hou 2017-09-18 07:06:43 UTC
Verified the quota example is updated in our documentations.

Comment 13 openshift-github-bot 2017-09-27 02:18:48 UTC
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/8a20eccc8f75991f68d0d30e5e02204a8a758380
Merge pull request #5114 from gaurav-nelson/Bug1373366Fixes

Bug#1373366 - Restrict certain pvs only for a given tenant - Fixes

Comment 14 Gaurav Nelson 2017-10-03 01:56:01 UTC
Updates are live at https://docs.openshift.com/container-platform/3.6/admin_guide/quota.html


Note You need to log in before you can comment on or make changes to this bug.