►
From YouTube: Sharing Clusters: Learnings From Building a Namespace On-Demand Platform - Lukas Gentele, DevSpace
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Sharing Clusters: Learnings From Building a Namespace On-Demand Platform - Lukas Gentele, DevSpace Technologies Inc.
Multi-tenancy is a hot topic in the Kubernetes community right now. IT teams want to enable engineers to work in shared clusters and allow them provision namespaces on-demand whenever needed. This creates a plethora of challenges that cluster admins have to address. This case study will show how the team behind DevSpace Cloud built a public Kubernetes-Namespace-as-a-Service offering, including: - Authentication via Dex - Automatic RBAC configuration - Dynamic admission control via Open Policy Agent - On-Demand namespace provisioning via CRDs - Network isolation using network policies - Resource management using resource quotas and limit ranges - Inactivity detection and automated cleanup of abandoned namespaces - Sandboxing This talk is intended for IT teams that want to create internal Kubernetes offerings to allow engineering teams to provision namespaces in an on-demand fashion.
https://sched.co/ZeiV
A
As
I
said,
my
name
is
lucas,
I'm
the
ceo
of
devspace
technologies,
inc
and
I'm
currently
working
on
loft.
That
is
h,
which
is
essentially
a
multi-tenancy
solution
for
kubernetes,
I'm
also
an
open
source
maintainer
for
several
kubernetes
related
projects
like
dev
space
and
kiosk
project,
which
you
will
hear
about
in
a
couple
minutes.
A
A
That
means
you
plan
to
host
multiple
engineers
or
engineering
teams
in
shared
development
clusters.
So
we're
talking
about
the
pre-production
stage
in
this
talk
and
the
challenge
here
is
really
about
kubernetes
multi-tenancy
and
getting
the
experience
straight
for
your
tenants
in
large
shared
kubernetes
clusters.
A
When
we
talk
about
multi-tenancy
well,
we
first
have
to
understand
what
that
means,
so
essentially,
single
tenant,
kubernetes
clusters
are
clusters,
which
you
hand
over
to
a
single
team
which
you're
running
single.
You
know,
singular
workloads
in
and
multi-tenant
kubernetes
clusters
are
essentially
larger
and
shared
kubernetes
clusters,
which
host
a
variety
of
you,
know
engineers,
engineering
teams
and
their
workloads.
A
So
once
we
compare
those
two
approaches,
we
can
very
quickly
understand
that
single
tenant
kubernetes
clusters
can
be
very
expensive
because
you're
creating
a
bunch
of
kubernetes
clusters
and
someone's
got
to
manage
them.
You
have
to
have
you
know
you
have
to
essentially
pay
the
cloud
computing
resources
for
all
these
clusters.
A
That
means,
for
example,
if
you
are
running
like
a
platform
as
a
service
offering-
and
you
have
you
know,
multiple
users
from
different
organizations
who,
who
you
don't
even
know,
potentially
then
you're
talking
about
a
hard
tenancy
that
you
might
need
for
your
platform,
we're
talking
about
soft
tendencies.
So,
typically,
your
tenants
are
users
all
from
the
same
organization
and
there's
a
small
chance
of
malicious
actors
from
the
outside
organization
outside
of
the
organization.
A
You
probably
already
have
users
in
a
third-party
system
like
active
directory,
google
or
microsoft.
If
you're,
using
like
office,
365
github
gitlab
for
sure
are
systems
that
are
aware
of
your
engineering
teams,
and
you
can
simply
hook
up
an
open
source
project
called
dex
to
your
platform.
It
actually
recently
became
a
cncf
sandbox
project
and
with
dex
you
can
achieve
single
sign-on
for
kubernetes.
A
A
So,
for
example,
you
could
provide
a
cube
config.
You
know
right
after
user
authenticates
through
the
text,
authentication,
workflow
and
let
the
user
in
the
simplest
case
just
download
a
cube,
config
file
right.
Obviously
that
can
get
a
lot
more
fancy.
You
know
if
you
have
your
own
cli
tool,
which
sets
which
creates
cube,
config
files
on
the
user's
machine
and
does
the
authentication
workflow
for
the
user
automatically
right
just
pop
up
the
browser
and
have
them
redirect
to
a
local
host
port
that
the
cli
opens.
A
A
So
you
need,
you
know
things
like
port
security
policies
for
sure,
because
you
don't
want
any
privileged
parts
being
created
out
there,
but
at
the
same
time,
you
really
need
to
make
sure
that
you
use
smart
defaults
for
your
platform
because
ux
really
matters,
because,
if
you're
providing
a
kubernetes
offering
to
engineers,
you
really
care
about
the
adoption
of
your
platform
within
the
organization.
You
want
users
to
actually
have
a
pleasure
in
using
kubernetes.
A
But
if
you
do
that,
then
users
must
specify
cpu
and
memory
limits
within
you
know
all
their
parts
and
containers,
but
they
might
not
want
to
do
that
in
the
early
stages
of
development
right-
and
I
shouldn't
have
to
worry
about
that
too
too
much
to
be
honest,
because
it's
development
stages
pre-production.
Obviously
you
want
to
have
all
these.
You
know
limits
configured
in
production
and
staging
for
sure,
but
might
not
want
to
want
the
engineers
to
worry.
A
You
know
the
first
thing:
they
worry
about
shouldn't,
be
this
so
set
defaults
and
then
let
kubernetes
implement
them
via
limit
range.
It's
a
standard,
kubernetes
construct
which
you
can
use
here
and
essentially
it's
a
mutating
admission
controller,
which
is
going
to
apply
these
defaults
to
all
parts
who
do
not
specify
cpu
and
memory
limits
test
it
out
with
various
workloads
of
your
engineers,
and
you
know,
find
the
smart
defaults
for
your
organization
network
policies.
You
definitely
want
to
have
in
place
as
well,
because
you
don't
want
some.
A
You
know,
network
traffic
go
all
across
your
cluster
here.
So
probably
you
want
to
apply
like
the
default
deny
all
policy,
but
then
you
want
to
open
up
certain
things.
Definitely
you
want
the
user
to
be
able
to
communicate
within
their
namespace
right.
Certain
ports
within
a
namespace
service
should
be
able
to
interact
with
each
other.
A
You
wanna,
probably
for
a
lot
of
containers
or
a
lot
of
namespaces.
You
can
do
this
with
labels,
for
example.
Allow
them
to
you
know,
connect
with
the
internet
and
don't
forget
about
dns
as
well.
Usually
you
want
them
to
connect
to
your
cluster
internal
dns,
but
you
can
also
you
know,
let
them
use
any
outside
dns
service
as
well.
A
The
third
learning
is
essentially
automate
as
much
as
possible,
and
it
applies
to
everything
I
was
just
talking
about
and
additionally
to
you
know
our
back
and
everything
related
to
that
create
templates.
Essentially,
for
anything,
you
might
want
to
use
open
policy
agent,
which
is
also
a
cncf
project
for
dynamic
admission
control,
because
there
are
certain
things
you
can't
enforce
with
standard
kubernetes
rules,
but
opec
can
do
them
for
you
very
easily.
So,
for
example,
host
name
validation
for
your
ingress
resource.
A
You
don't
want
colliding
host
names
and
having
your
ingress
controls
are
kind
of,
like
you
know,
do
some
kind
of
load
balancing
between
different
tenant
applications.
You
want
each
tenant
or
each
namespace
or
whatever
you
define
a
single
unit
here
to
have
a
certain
set
of
you,
know,
subdomains
or
whatever
that
they
can
use,
and
they
should
follow
a
certain
pattern
right.
So
you
could
have
like
a
suffix
or
a
subdomain
of
that
includes
right,
the
tenant's
name
or
the
namespace
name,
or
things
like
that.
A
Right
and
oppa
can
really
check
this,
and
you
know
essentially
reject
anything
that
doesn't
follow
this
pattern
when
someone's
creating
an
ingress.
It's
pretty
easy
to
implement
that.
Additionally,
you
can
use
the
same
hostname
validation
for
the
certificate
resource
if
you're
using
things
like
cert
manager,
so
that
you
know
your
let's
encrypt
account.
Doesn't
you
know
provision
a
lot
of
names,
a
lot
of
host
names
which
aren't
actually
being
used
in
your
system?
A
And
then
you
might
want
to
restrict
certain
storage
and
network
related
configurations.
You
might
not
want
you
know
every
user
to
provision
load
balancers
in
your
aws
account,
you
might
want
to.
You
know,
set
some
restrictions
there,
because
you
may
want
to
provide
some
certain.
You
know
cluster
wide
services
so
that
not
everybody
needs
to
install
their
own
ingress
controller
search
manager,
etc,
provide
these
services
and
automate
them
as
much
as
possible.
For
yourself,
if
you're
setting
up
new
clusters,
you
can
use
terraform
for
that
or
you
know
just
a
simple.
A
You
know
helm
chart
which
you
have
you
know
helm
dependencies
to
nginx,
ingress
controller,
insert
manager,
things
like
that
and
really
bundle
your
configuration
there
and
related
to
that.
I
would
really
recommend
to
store
everything
in
kubernetes,
so
I
would
have
no
state
outside
of
kubernetes,
so
no
like
database,
where
you
keep
track
track
of
certain
relationships,
etc,
and
potentially
you
want
to
also
store
things
in
git,
so
use
kubernetes
related
kubernetes
native
resources,
like
you
know,
annotations
labels
secrets.
A
A
You
have
an
automated
approval
process
right,
that's
really
great!
So
let's
say
you
set
up
a
very
easy
system
for
provisioning
namespaces
and
the
easiest
system
is
to
have
something
like
flux.
You
know
running
in
your
kubernetes
cluster
and
it
essentially
pulls
the
state
of
your
git
repository
and
applies
it
to
your
kubernetes
clusters.
A
This
is
great,
for
you
know,
keeping
track
of
your
platform
state,
but
it's
not
so
great
to
keep
track
of
your
user
workloads
right.
I
would
argue
that
engineering
teams
should
have
direct
access
to
kubernetes
rather
than
having
to
go
through.
You
know,
ci
cd,
you
know
github
system
or
whatever
to
deploy
something
to
kubernetes.
If
they
see
some
tutorial
out
there
to
install
a
hand
chart
that
they
might
need
for
their.
You
know
day-to-day
work
and
want
to
try
it
out
right.
A
They
should
be
able
to
follow
that
tutorial
and
not
have
to
you
know,
add
that
to
a
different
workflow,
etc,
which
makes
it
just
more
complicated,
so
keep
your
platform
state
and
getups,
but
that
doesn't
necessarily
mean
you
also
need
to
keep
your
user
workflows
and
and
everything
that's
related.
You
know
to
their
work
into
into
git
as
well,
and
if
you
want
even
more
control
over
what's
happening
in
your
cluster,
you
can
always
write
a
controller,
introduce
crds
custom,
resource
definitions
and
kind
of
extend,
kubernetes
tell
kubernetes.
A
You
know
this
is
a
tenant
for
us,
for
example
right
and
those
are
the
tenant
limits
that
could
be
objects
in
your
platform
that
you're
creating
and
if
you're
going
extra
fancy,
you
can
even
write
an
api
server
extension
to
solve
the
list
problem.
The
list
problem
essentially
means
you
can
set
r
back
to
get
users
to
perform
cube
ctl
get
on
their
namespaces
right,
but
they
have
to
provide
the
name
of
the
namespace.
If
they
want
to
run
cubectl
list
namespaces,
it's
either
all
or
nothing
right.
A
They
can
either
get
access
to
all
namespaces
and
list
all
of
them,
or
none
of
them
right.
You
can
solve
that
by
an
api,
server
extension
and
essentially
filter
the
namespaces
that
the
tenant
has
and
one
project.
I
was
mentioning
earlier
that
I've
been
working
on
for
a
couple
months.
Now
I
think
we
open
sourced
it
in
february
is
kiosk.
Kios
is
an
extension
for
kubernetes,
provides
an
api
server
extension
and
several
crds
for
multi-tenant
kubernetes
clusters.
A
A
It's
an
extension
of
the
kubernetes
api
server
and
if
the
user
runs
cubectl
getspaces
right,
they
essentially
only
get
those
names
list
spaces.
Sorry,
they
essentially
only
see
those
namespaces
that
actually
have
access
to
vr
back
right
so
where
they
essentially
have
the
permission
to
read,
pods
or
whatever
you
configure
in
kiosk.
Here's
also
those
templates.
A
You
can
use
those
templates
essentially
to
tell
kids
hey
when
someone
when
one
of
our
tenants
creates
a
space
cube
ctl,
you
know,
create
space
essentially
apply
certain
templates
to
it,
and
that
can
be.
You
know,
outbreak
rules,
network
policies,
limit
ranges
whatever
you
may
need
for
your
multi-tenant
kubernetes
cluster
is
great
because
kiosk
does
it
automatically
for
you.
A
And
if
you
want
to
learn
more
about
kiosk
reach
out
to
this
guy
fabian
is
a
kiosk
maintainer
and
really
the
brain.
Behind
all
of
this,
we
launched
the
project
together.
But
if
you
really
want
to,
you
know,
dig
into
the
details,
you
should
definitely
talk
to
him
and
if
we're
looking
at
the
workflow
in
kiosks,
there's
essentially
two
persona
right.
A
There's
you
as
a
cluster
admin
and
then
there's
the
account
users,
which
can
be
a
regular
kubernetes
user
or
a
kubernetes
group
or
a
service
account
right,
and
you
essentially
define
and
manage
accounts
and
account
quotas,
as
well
as
the
templates
right
and
then
users
use
their
account
to
create
spaces
and
when
they
create
a
space,
they
essentially,
you
know,
define
in
the
spec
that
it
belongs
to
this
account
and
then,
when
they
do,
that
the
admission
controller
will
essentially
check
you
know:
hey
the
api.
Server
extension.
A
Sorry
will
actually
check.
You
know.
Is
this
subject
or
service
account?
Who
is,
however,
doing
the
cube
ctl
request?
Who
is
it?
Is
that
person
actually
that
user?
Actually
part
of
this
account?
Will
I
allow
this
right
and
if
the
space
is
being
created,
it
will
create
the
underlying
namespace
and
force
the
templates
that
you
and
have
enforced
for
this
account
right.
A
So
now
we
got
like
kind
of
the
basic
setup
regarding
authentication.
We
automated
a
lot
of
things.
We
restricted
our
users
and
we
might
even
use
kiosk.
You
know
kind
of
to
get
this.
You
know
kind
of
structure
for
for
our
multi-tenant
kubernetes
platform.
The
next
part
is
really
about
how
users
interact
with
the
system.
I
would
argue,
do
not
hide
kubernetes,
but
try
to
make
it
as
easy
as
possible
for
users
to
use
so
engineers
actually
need
access
to
kubernetes,
so
they
need
to
run
cube.
A
Ctl
commands
et
cetera
because
they
want
to
you
know,
verify
new
features
very
very
fast.
I
don't
want
to
have
to
go
through
the
full
ci
cd
cycle.
Just
you
know
when
they
see
something
that
they
might
need,
some
chart
some
hand
chart
they
want
to
install
or
if
they
want
to
just
test
a
new
feature
very
quickly.
A
A
A
The
one
that
you
actually
want
to
work
on
should
run
on
your
local
machine.
Everything
else
is
being
deployed
to
your
kubernetes
cluster
and
what
they
do
then,
is
they
start
like
a
two-way
proxy
between
the
local
cli
and
a
telepresence
part
that
runs
inside
your
cluster,
then
you
can,
with
the
cli,
also
mount.
A
You
know
this
network,
this
network
proxy,
and
you
know
volumes
even
from
the
cluster
and
things
like
that,
so
that
your
local
service
kind
of
feels
like
it's
running
inside
kubernetes,
although
it's
running
on
your
local
machine,
that
has
certain
drawbacks
but
has
a
big
advantage
that
it
feels
from
a
developer
perspective.
I
mean
everything's
running
locally
that
you're
working
on
that
feels
really
great,
but
it's
kind
of
bad
on
windows.
Still
the
network
can
get
pretty
slow.
A
A
That
means
the
developer
uses
a
cli
tool
to
run
a
local
kind
of
cicd
pipeline
that
you
know,
builds
images,
tags
and
push
them
to.
Registry
starts
port
forwarding,
and
you
know
to
the
to
everything
that
has
been
deployed
to
the
cluster,
and
here
everything
gets
deployed
to
the
cluster.
So,
unlike
telepresence,
where
one
service
runs
locally,
everything
runs
in
kubernetes
now
and
to
get
this
hot
reloading
experience
so
that
the
developer
can
still
code
with
their
ide,
and
you
know,
save
a
file
and
see
the
changes.
A
You
know
the
engineer
needs
to
play
around
with
this
in
like
10
minutes,
but
it's
definitely
easier
in
the
long
run
than
maybe
the
network
complexity
of
telepresence.
Let's
get
to
learning
number
six.
When
your
platform
is
actually
up
and
running,
you
should
really
care
about
cost
as
well.
For
the
sake
of
your
organization
and
really
shut
down
idle
workloads,
so
the
first
thing
you
want
to
do
is
enable
auto
scaling
whenever
possible.
A
So
I'm
just
going
to
recommend
a
couple
of
tools:
there's
a
fairly
new
tool
called
cluster
turndown
by
a
startup
called
cubecost,
which
you
can
use
to
set
up
a
fixed
schedule
when
you
turn
down
your
ek,
eks
or
gke
clusters.
So
you
can
essentially
say:
hey
at
you
know:
8
p.m.
Turn
everything
off
right!
Scale
it
down
to
zero,
kill
all
the
notes
right,
that's
pretty
pretty
hard,
but
obviously
it's
doing
the
job
in
terms
of
saving
cost
right
and
then
in
the
morning
spin
up
everything
again.
A
Obviously,
you
have
to
you
kind
of
adapt
to
the
schedule
of
your
engineers
here.
If
you're
based
on
openshift,
you
can
use
idling
and
openshift,
which
is
essentially
network
based
shutdown.
So
if
openshift
doesn't
detect
any
network
requests
for
a
while,
it
can,
you
know
scale
down,
replica
sets
automatically
to
zero,
and
then
engineers
can
just
you
know,
turn
up
the
replica
sets
again
and
in
loft,
which
I'm
currently
working
on.
A
So
you
can
tell
loft
hey
if
the
engineer
hasn't
done
any
requests
to
a
specific
namespace
in
the
past
20
minutes
shut
it
down
right,
shut
down
all
the
replica
sets
or
turn
the
replica
sets
to
zero
and
as
soon
as
the
first
api
server
request
comes
in
reset,
the
replica
sets
to
whatever
they
were
beforehand
and
then
last
but
not
least,
learning
number
seven
is
sometimes
users
just
need
more
than
a
namespace
right.
I
was
talking
earlier
about
single
tenant
clusters
versus
multi-tenant
clusters.
If
you
have
a
single
tenant
cluster,
that's
great.
A
A
What's
with
you
know,
custom
resource
definitions?
Will
you
be
able
to
let
your
users
install
crds?
Probably
you
don't
want
to
do
that
right,
yeah
hand,
charts
use
certain
object
permissions.
What
if
your
users
want
to
enable
certain
kubernetes,
alpha
or
beta
features
or
on
a
different
kubernetes
version?
A
You
know
you
can't
do
that
with
namespaces,
but
you
can,
with
a
construct
called
virtual
clusters,
and
virtual
clusters
are
really
kind
of
kubernetes
classes
that
run
inside
another
kubernetes
cluster
within
a
namespace
right.
So
if
you
let
users
provision
those
they
really
unlock
access
to
cluster-wide
settings
for
those
users,
they
can
do
whatever
they
want
with
their
virtual
cluster.
A
And
then,
additionally,
because
they're
not
true
isolated,
single
tenant,
kubernetes
clusters,
they're
virtual
clusters
running
in
the
same
host
cluster,
you
can
also
do
kind
of
like
a
sharing
of
resources
that
run
in
the
host
cluster.
For
example,
services
like
nginx,
cert
manager
right,
you
just
need
to
run
them
once
and
you
can
kind
of
hook
up
the
virtual
cluster
to
those
host
services
as
well,
which
provides
similar
efficiency
as
namespaces.
A
That
means
we're,
starting
like
a
k3s
cluster
within
one
of
your
namespaces
and
then
have
like
a
syncer
which
syncs
certain
resources
to
the
host
cluster
right
to
actually,
you
know,
start
pots
and
containers
etc.
But
you
have
like
entirely
the
logic,
outback,
etc
encapsulated
into
one
named
space
that
is
hosting
the
k3s
cluster.
So
I
encourage
you
to
check
that
out.
A
A
You
know
implementations
of
different
sizes
of
companies
that
wanted
to
host
multi-tenant
kubernetes
clusters
and
if
you
want
to
dig
into
one
of
these
topics
like
in
more
detail
just
head
over
to
one
of
these
links,
I'm
attaching
to
the
presentation.
There
was
a
really
great
talk
of
james
wen
and
engineering
spotify
at
last
kubecon
and
there's
a
lot
of
great
articles
out
there,
and
I
really
urge
you
to
also
check
out
what
the
sick
multi-tenancy
is
working
on.
A
And
if
you
have
any
particular
questions,
you
know
to
kiosk
whatever
I'm
working
on
or
to
any
of
these
learnings
don't
hesitate
to
reach
out
to
me
and
I'm
also
going
to
be
available
for
q
a,
and
I
think
we
have
about
like
another
five
or
six
minutes
for
this.
So
if
you
have
any
questions,
feel
free
to
ask
them
right.
Now,
thanks
for
your
time,.
A
All
right,
so
that
was
the
main
presentation.
I'm
happy
to
answer
our
questions.
So
if
you
have
any
questions,
feel
free
to
open
the
q,
a
bottom
button
on
the
bottom
and
just
type
in
your
question,
we
already
have
a
couple
of
questions
that
came
in
a
few
minutes
ago.
I'm
just
going
to
read
them
out
loud
and
try
to
answer
them
in
the
in
the
remaining.
A
You
know
five
or
six
minutes
that
we
have
left
the
first
one
is:
what
do
you
think
about
using
oppar
and
check
config
maps
of
that?
Do
you
see
some
bottlenecks
here?
So
a
lot
of
companies
that
my
team
and
I
have
been
working
with
are
actually
using
oper.
It's
a
really
great
project
really
allows
you
to
add
additional.
You
know
really
flexible
security
rules,
your
multi-tenant
cluster,
so
I
definitely
recommend
to
check
out
oprah
is
super
super
useful
for
multi-tenant
clusters?
A
Does
kiosk
have
a
graphical
user
interface
kiosk
as
an
open
source
project,
is
kind
of
like
a
basic
building
block
to
create
soft
multi-tenancy
in
kubernetes,
so
it
teaches
kubernetes
certain.
You
know
crds
that
are
required
like
what
is
a
tenant.
You
know
what
is
a
account:
what
is
a
space
things
like
that,
but
it
doesn't
have
a
gui.
So
if
you
need
something
on
top
of
that,
you
can
obviously
build
that.
A
A
What
is
your
experience,
suggestions
regarding
the
usage
of
crds
in
a
platform
as
a
service
based
on
managed
kubernetes
clusters,
and
then
the
person
asking
these
questions
is
referring
to
issues
with
the
cluster
white
scope
of
crds
yeah.
That's
what
I
mentioned
at
the
end
of
the
talk,
essentially
so
name,
spaces
are
kind
of
like
a
basic
unit
of
you
know,
sharing
multi-tenant
clusters
and
namespace
have
certain
limitations,
because,
obviously
you
don't
want
users
to
install
c
ids
on
a
cluster-wide
level.
A
A
If
you
want
your
users
to
actually
work
with
c
or
ds,
because
in
virtual
clusters,
users
can
essentially
create
cluster
wide
cluster
scope,
resources,
which,
which
can
be
super
helpful
for
soft
multi-tenancy
recorders.
You
know
so
users
to
to
deal
with
orbit
rules,
install
things
like
controllers
and
crds,
even
if
your
users
are
developing
controllers
right.
That
is
definitely
something
to
look
into
the
next
question.
Solutions
like
virtual
cluster
and
kiosks
seem
like
a
very
nice
approach
towards
multi-tenancy.
A
Would
you
classify
these
under
soft
or
hard
multi-tenancy
and
what
is
the
road
map
towards
a
version?
One
production
ready
version,
so
definitely
a
soft
multi-tenancy.
If
you
want
hard
multi
tenancy,
you
need
to
look
into.
You
know
like
really
making
sure
that
users
are
not
sharing
the
same
kernel
things
like
that
or
that
they,
you
know,
there's
like
virtual
cubelet
things
like
that,
where
essentially
your
containers
end
up
on
different
vms
right
things
like
things
like
that
are
definitely
more
towards
heart.
A
Multi-Tenancy
pressure,
cluster
and
kiosk
is
really
for
soft
multi-tenancy.
If
your
engineering
teams
are
supposed
to
share
the
same
kubernetes
clusters
regarding
production
readiness,
both
peers,
as
well
as
virtual
cluster,
have
been
used
by
a
variety
of
of
companies
of
different
sizes
from
small
companies
of
just
like
you
know,
10
engineers
sharing
a
cluster
up
to
100
engineers.
A
I
don't
think
you
want
your
european
engineers
working
the
same
cluster
as
the
ones
in
north
america,
for
example,
right
so
you're
to
have
several
clusters
that
you
share,
and
then
you
know
50
100
engineers,
maybe
200
engineers
may
share
a
cluster,
but
probably
not
10
000..
However,
as
I
said,
both
projects
have
been
used
in
production,
if
I
may
call
it
that
way
for
the
development
use
case,
we're
also
evaluating
both
technologies
for
actually
production
workloads.
A
But
if
that's
something
we
can,
you
know
talk
about
in
the
slack
channel,
so
feel
free
to
ask
any
questions
there
as
well
might
not
be
able
to
to
answer
all
the
questions
here.
Maybe
one
last
question:
sometimes
I
feel
the
need
for
nested
namespaces
or
grouping
multiple
namespaces
into
one
logical,
bigger
namespace,
into
one
logical,
bigger
namespace.
A
Is
that
something
you
consider
useful
for
multi-tenancy?
Definitely
I
mean
the
multi-tenancy
groups
working
on
something
like
that.
I
also
believe
that
google
has
shipped
something
similar
for
gke
right
now,
where
you
can.
You
know
essentially
build
these
hierarchical
name
spaces.
However,
I
think
you
know.
Virtual
clusters
offers
more
possibilities
than
just
nesting
namespaces
essentially,
but
in
the
end
it
does
the
same
thing.
So,
in
the
end,
everything
you
do
creating
you
know.
A
Name,
space
in
your
virtual
cluster
are
actually
gonna
end
up
in
the
same
name,
space
on
your
on
your
host
cluster
right,
so
you're
achieving
a
similar
goal,
but
with
a
different
layer
of
abstraction
and
maybe
more,
you
know,
freedom
and
flexibility
for
your
users
and,
as
we
only
have
like
a
couple
of
seconds
left
to
to
end
this
session.
I
just
wanna
take
the
time
to
thank
you
all
for
for
listening
and
watching
the
video
online
and
the
slides
will
be
online.
I
think,
on
the
scheduling
website.