Bug 1571771 - [RFE] Scheduling of pods on dedicated nodes based on user and/or group
Summary: [RFE] Scheduling of pods on dedicated nodes based on user and/or group
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Derek Carr
QA Contact: Xiaoli Tian
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-25 12:00 UTC by Pili Guerra
Modified: 2021-06-10 15:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-12 11:57:43 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Pili Guerra 2018-04-25 12:00:47 UTC
1. Proposed title of this feature request

Enforce node scheduling based on user or group membership

3. What is the nature and description of the request?

Customer is running a centralized, multi-tenant oepnshift environment whereby each of their own customers has dedicated nodes within a specific dedicated subnet. 

It should be possible for users to self-provision projects and for these to be only scheduled within their dedicated nodes. As such, it would be useful to be able to specify default node selectors for a project based on a user or group. 

This is not currently possible when using identity providers other than LDAP, for which they have a workaround in place at the moment.

4. Why does the customer need this? (List the business requirements here)

Currently, they are labeling customer nodes with e.g username=allowed for each of that customers users. Then. in the project request template, they add the annotaion for node-selector to be {PROJECT-REQUESTING-USER}=allowed. That way, even as a self-provisioned project, users will always schedule pods on the right nodes. 

While this works for LDAP, when using Azure Active Directory, the usernames contain "@" which is an invalid character for labelling nodes.

Unless the customer restricts themselves to using LDAP, there's no good way for them to enable users to self-provision projects and guarantee that these will be scheduled on the correct nodes. In order to make their service more user friendly they would like to use different identity providers other than LDAP.

5. How would the customer like to achieve this? (List the functional requirements here)

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?


10. List any affected packages or components.


Comment 3 Kirsten Newcomer 2019-06-12 11:57:43 UTC
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.

Note You need to log in before you can comment on or make changes to this bug.