►
From YouTube: Multi-Tenancy Support & Security Modeling with RBAC and Namespaces - Fred Vong & Michael Y. Chen
Description
Multi-Tenancy Support & Security Modeling with RBAC and Namespaces [I] - Fred Vong & Michael Y. Chen, VMware
As container technologies mature, Kubernetes is clearly gaining momentum with developers as a means to deploy their distributed applications. As more applications and clusters are deployed by more developers, multi-tenancy and isolation become concerns not only for the app developer, but also for the cluster admins. In this talk, we will discuss the various cluster security models available today, and how to use namespaces to provide tenant isolation. We will also demonstrate how to use Kubernetes’ Role Based Access Control (RBAC) feature as means of enforcing a multi-tenant security model. By assigning roles and role bindings and creating namespaces, we can implement restrictions on resource consumption and provide tenant isolation throughout the cluster. We’ll also demonstrate how the RBAC feature provides granularity of access control that can be adjusted to suit varying requirements—from granting full access to users or groups to a cluster to only granting access to specific resources within a namespace. Following the discussion of how to build a security model with namespaces and RBAC, this talk will also feature a live demonstration of RBAC and namespaces in action to illustrate the concepts and show how both admins and developers are affected by the model.
About Michael Chen
Senior Manager, VMware
About Fred Vong
Fred Vong is passionate about the cloud and data center automation technologies. Currently, he is actively working on both OpenStack and container orchestration area in VMware. He believes deployment of whole software stack should be as simple as clicking a button.
Join us for KubeCon + CloudNativeCon in Barcelona May 20 - 23, Shanghai June 24 - 26, and San Diego November 18 - 21! Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy and all of the other CNCF-hosted projects.
A
Sorry
for
the
delay,
so
let's
go
and
let's
get
started
so
in
this
session,
we're
going
to
talk
about
a
tendancy
support
with
our
back-end
namespace.
My
name
is
Michael,
and
this
is
a
thread
and
we're
working
on
a
team
to
bring
kubernetes
cluster
to
a
vSphere
environment,
and
we
also
have
a
team
working
on
upstream
in
term
of
various
areas
in
term
of
clustering
scheduling
and
the
various
areas.
A
Okay,
so
we're
gonna
cover
in
this
session
is
we're
going
to
talk
about
the
basics
namespace.
How
can
namespaces
offer
isolations
between
different
users
and
then
how
can
you
use
our
back
to
enforce
policies
and
permissions
to
provide
additional
controls
for
those
users
and
then
we're
gonna
talk
about?
How
do
you
put
a
namespace
and
our
back
together
so
to
offer
multi-tenancy
to
the
users
with
some
level
of
control?
A
I
we
certainly
understand
that
there
is
a
way
to
for
user,
to
create
multiple
clusters
to
offer
that
kind
of
level
of
isolation,
but
you're
going
to
essentially
spending
a
lot
of
resource.
You're
gonna
have
a
lot
of
cluster
to
manage
and
that's
now
ideal
for
most
of
the
environment.
Therefore,
we're
talking
when
we
talk
about
multi-tenancy
here,
we're
really
talking
about
multi-tenancy
within
the
what's
inside
a
single
cluster
and
the
friday
is
gonna,
follow
up
with
that
demo.
A
We
create
a
couple
personas
for
our
use
case,
so
for
most
of
you
guys,
if
you
start
working
on
kubernetes
a
year
ago,
your
task
is
a
lot
of
things.
You
need
to
do
as
a
application
developer,
so
you
not
only
need
to
worry
about
your.
How
do
you
write
your
application?
You
also
need
to
worry
about
how
to
monitoring
scale
your
cluster.
You
also
have
to
worry
about
how
to
create
your
cluster
and
it
does
a
lot
closer
management,
as
times
goes
on.
A
We
believe
there's
additional
persona
gonna
be
created
in
the
future
or
it's
already
starting
form,
and
so
basically
we're
thinking
about.
There
can
be
a
develop
a
mean
person
who
can
help
you
to
help
the
developers
to
kind
of
scale
up
scale
down
the
cluster
and
the
kind
of
monitoring
the
cluster,
and
this
person
can
be
very
much
on
the
same
application
team,
but
just
have
a
little
bit
additional
special
task,
but
the
most
important
part
we
think
is
going
to
be
the
closer
of
creation.
A
The
cluster
management
is
going
to
be
outsourced
to
a
cloud
admin
right,
a
specialized
cloud,
a
me
to
help
you
create
the
cluster,
but
also
that's
a
la
user
level,
management
and
I.
Think
if
you
go
to
some
other
sessions,
one
of
the
sessions
talking
about
is
how
do
you
increase
your
team's
efficiency
if
your
application
team
try
to
develop
applications,
while
the
best
practice
is
essentially
also
or
your
cluster,
your
user
management
to
a
mystery
to
administrator
team,
to
help
you
to
manage
that?
B
Okay,
friends,
micro
for
the
introduction,
the
problem
right
so
I'm
an
engineer
and
try
to
solve
that
problem,
of
course,
so
before
actually
I
can
go
to
at
to
actually
topics,
I'm
actually
cover
ones.
Actually
you
know
what
what
what
like
definitely
I'm
using
our
back-end
namespace
to
solve
the
multi-tenancy
problem
and
also
actually
I
will
talk
about.
You
know
the
models
we
support
and
you
know
some
model.
Actually
we
will
support
in
the
future.
B
So
let's
talk
about
coop
in
any
namespace
and
now
back
how
many
actually
actively
using
kubernetes
right
now,
wow,
there's
a
lot
feel
good
I,
probably
fight
through
it,
because
different
audiences
I
need
to
introduce
some
terminology.
So
basically
I'm
just
actually
introduce
some
terminology.
See
is
I.
Don't
have
to
go
to
this.
Lies
you
probably
know
what
a
kubernetes
just
an
open
source
platform,
decide
to
automate
deporting
scaling
and
operating
application.
Clintus.
I
put
the
link
there.
If
it's
not
family,
just
go
to
Lincoln
and
look
it
up.
B
I
think
you
will
be
excited
to
read
that
the
next
thing
is
actually
the
reason
I
have
to
just
roughly
go
through
the
concept,
because
there's
actually
how
I
use
the
our
back
namespace
actually
to
you
know,
support
the
multi-tenancy.
So
in
the
community
terminology
a
note
is
just
like
either
a
physical
machine
or
just
a
work.
Well
virtual
machines
right
and
names
pay
is
you
know
it's
a
virtual
cluster
actually
provides
relations.
B
Rp
sauces
really
dim
spaces
because,
yes,
we
basically
that's
how
we
can
do
this
multi-tenancy
when
tenants
actually
cannot
see
the
other
attendants
resources.
Port
unit
of
deployment,
single
instant
of
application
in
covenant
is
one
or
more
containers.
Right
and
surface
is
basically
it's
a
obstruction.
How
you
actually
actually
expose
your
surfaces
to
the
outsides
right
and,
of
course
our
back
is
the
group
A's
SS
control?
You
know
we
are
using
to
do
the
enforcement
right.
Okay,
so
I'm
just
actually
quickly
going
through
that.
So
that's
the
way.
Actually
I.
Look
at
right.
B
Kubernetes
actually
is
curved
like
a
platform
neutral,
so
it
doesn't
actually
really
dictate
a
particle
as
the
career
model.
That's
good
and
bad
I
mean,
but
but
that's
actually
what
it
is
for
now
the
there's
two
category
of
users
right.
So
it's
actually
there's
a
service
account
users
so
managed
by
kubernetes,
says
you
actually
go
to
community
created
users
and
then
also
deaths
normal
user
action,
managed
by
also
managed
by
outside
means,
actually
is
I.
Okay,
you
may
actually
have
a
database
somewhere
or
you
may
actually,
as
IDM
or
you
may
have.
B
You
know
you
know
out
there
whatever
right
so
the
user
is
is
managed
by
outside.
That's
that's
why
I
mean
nice
thing
about
that
is
actually
kubernetes
actually
allows
you
to
extend
the
often
the
authentication
plug-in
and
then
authorize
station
parking.
So
actually
you
can
basically
connected
to
you
know
outside
sources
to
do
that.
Authorization
and
authentication.
C
B
So
inside
the
toolbox
right,
so
what
I
get
used
to
do
my
job
right?
Hey,
okay,
so
let's
take
a
look
at
the
namespace
I.
Basically,
this
slide
just
show
that
you
know
how
the
isolation
can
happen
right
so
including
entity.
Actually,
you
you
will
always
create
a
default
namespace
for
you
in
this
case
I,
simply
there's
more
even
type
of
resources
actually
in
the
namespace.
I
only
actually
talk
about
a
port
and
and
surfaces
here,
because
just
you
know
similar
typically
application.
B
Actually
you
lead
to
a
continue
to
run
your
app
or
to
when
you're
conducting
your
application
right,
and
then
you
use
services
to
export
it.
There.
That's
one
way:
services
right,
so
I'm,
just
throwing
there
like
that
three
namespaces,
actually
the
the
port
actually
is
even
named
sizes.
So
is
isolated.
You
know
basically
the
one
port
we
deal
with
in
namespace.
You
cannot
see
the
deport
in
other
namespace,
okay,.
C
B
That's
the
foundation,
you
know
the
isolation
I
need
to
provide
the
use
of
the
multi-tenancy
okay,
so
for
our
bag
just
again
touch
about
the
concept
again.
So
so,
basically,
the
Outback.
The
way
they
set
up
is
actually
there
based
on
rules
right
and
then
there's
two
types
of
row
add
a
to
use.
The
object
called
row
like
there's
a
custo
row
and
row
and
I'm
actually
going
to
give
exam
some
example
later
right
and
then
I'm
to
granting
a
permission.
Actually
the
way
it
works.
B
B
B
It's
a
separate
thing:
this
is
actually
kubernetes.
What
couldn't
kubernetes
provide?
Okay,
so
yeah.
Of
course
I
have
talked
about
subject.
Basically,
you
know
when
you
grant
a
permission
you
grant
to
a
subject.
The
subject:
extra
can
be
a
user.
A
group
in
a
service
account
right,
okay,
so
I'm
just
actually
quickly
go
through
the
the
you
know,
the
things
I
actually
I
can't
define
right.
You
know
if
a
cluster
row,
of
course,
is
your
phone
names,
a
coronary.
B
Basically
I
just
do
a
dumb
using
the
output
right
dumping,
the
the
object
itself,
so
the
so
they
have
a
kind.
Basically,
it's
the
custom
row
and
then
API
version
yeah.
You
know
what
API
over
the
version
like
a
support.
Are
you
using
that
to
we
talked
to
the
the
cabinet
community
to
to
which,
with
law
are
objects
metadata?
B
You
lead
to
a
specified
name.
So
this
is
actually
no
Twitter
review.
Read
the
rules
below
actually
will
it
would
make
more
sense
right
it
actually
don't
don't
limit
it
to
any
API
groups.
The
resources?
Actually,
we
are
you
interested
to
to
differ.
She
was
specify
is
just
a
nukes
right
and
then
basically,
action
you
can
do
is
either
get
watch
and
list.
So
that's,
why
is
it
the
reader?
So
actually
that's
how
you
control
the
you
know
what
you're
a
particular
subject
can
do
so
then,
actually
we
go
to
the
row.
B
The
only
things
actually
make
the
defenses
is
actually
the
row.
Actually,
we
will
ask
you
to
specify
a
namespace
as
well
yeah
in
here
I'm,
just
saying
that
using
default
and
then
you
look
at
the
rules
is
very
similar.
I,
don't
specify
Pataca
I
groups,
API
groups
right,
but
we
saw
in
the
process
actually
inside
the
the
namespace
right,
so
actually
I
say
well,
okay,
inside
that
default
namespace
you
can
you
you
can
do
this
works
like
get
watchlist
on
the
pots,
so,
basically
against.
That's
why
it's
called
pot
reader
row
in
this
case
right.
B
So
the
next
thing
is
actually
I
have
is
customer
binding
right?
So
remember,
I
said
that
you
know
in
order
to
grant
permission
actually
using
robot
into
doing
that
in
this
case.
Right,
if
you
go
to
the
like
the
first
thing,
I
against
is
the
Chi
typical
right
me
know
the
objects
as
this
Chi
API
question
is:
let's
forget
it.
The
name
is
actually
where
you
specify
the
row
binding
name,
and
then
you
now
actually
refer
to
the
subject.
Subject.
B
Right
now
is
the
Kai's
group
I'm
actually
saying
that
or
manager
group
can
do
the
following
right.
So
what
the
foreign
can
do
is
to
move
reference,
saying
that
hey
the
Chi
is
cast
a
row
and
then
you
know
that's
the
one
I
specify
you
know
in
previously.
They
don't
wither.
So
basically,
all
the
group
manager
can
read
the
regionals
okay.
So
let
me
quickly
go
to
the
row
binding
as
well
against
this
this
time
actually
I
base
a
granddad
user
called
James
Wright.
B
If
you
go
down
to
the
subject
and
now,
of
course,
I
miss
something
it's
actually
because
this
row
biding
as
actually
is
particle
in
space,
I'm
actually
specified
namespace
default,
and
then
you
know
the
user
actually
is
James.
Actually,
he
can
read
the
reports,
so
that's
actually
the
Outback,
you
know
give
me
the
coffee,
the
granular
control
like
who
can
do
what
right.
So
that's
pretty
much.
Actually
what
we
build
on
top
of
okay.
D
B
Yes,
I
have
a
problem
when
we
connected
to
out
there
and
we
have
any
issues,
so
the
authentication
actually
works,
but
when
it
coming
back
is
actually
is,
is
the
lower
case.
So
we
ask
the
customer
to
basically
saying
that
sorry,
you
have
to
you
know
when
you
specify
the
going
through
our
interface,
you
have
to
specify
the
user
in
lower
case.
That's
that
temporary
could
get
around
right.
Now.
We
will
address
that.
Probably
later
yeah.
D
B
A
C
A
B
You
guys
don't
mind
I'm.
Just
like
do
a
time
check.
I
probably
will
defer
the
question
at
the
end
or
you
know,
but
let
me
finish
the
presentation
so
I
quickly
go
through
like
the
the
flow
right
in
probably
curious,
actually
how
you
know
the
flow
works.
So
when
a
request
coming,
if
you
look
at
from
the
left
hand,
side
right
when
we
crest
coming
to
the
cupola
the
API
server
right.
So
actually
you
first
actually
saying
that
hey,
you
know,
make
sure
your
desk
user
is
a
valid
user
right.
B
So
actually
you
go
to
a
KX
of
negation
plug-in.
You
can
specify
your
own
plug-in
right.
So
let's
make
sure
that
the
user
is
authenticated.
It's
actually
what
we
know
that
we
who
he
is
right
and
then
the
next
thing
is
actually
based
on
table.
So
actually
you
based
on
operation,
you
will
ask
the
oh
sorry,
I,
actually
I
skip
too
fast
I'm,
actually
at
the
authentication
in
this
case
actually
go
to
the
idea
right.
So
it
doesn't
have
to
be
like
a
local
database
file.
B
Right
so
actually
can
go,
go
to
IDM,
and
then
you
know
I'm
saying
that:
okay,
good,
you
know
this,
is
this
users
authenticate
right?
The
next
thing
is
actually
based
on
the
operation
right.
You
will
actually
defer
to
the
cakes
outlay
of
the
authorization
bracket,
so
you
actually
make
sure
that
okay,
dead
person
right
can
be
authorized
to
do
that
operation
and
after
that,
so
we
could
I
possibly
quest
and
return
the
result.
So
so
I'm
not
sure
it's
pretty.
You
know
generic.
B
B
C
B
I
just
quickly
refresh
the
screen,
I'm
not
going
to
go
through
it,
because
my
co
actually
give
a
very
good
description
already
so
developer.
Devops
is
actually
in
the
application
development
team.
So
basically
they
are
developer,
innocence
right
and
then
the
cow
Amin
is
carved
like
two
rows,
but
we
actually
have
customers
really
warmed.
Who
actually
have
some
basically
mean
want
to
delegate
some
Fung
pivot
to
the
particular
developer.
So
actually,
like
Michael
mentioned,
you
know,
you
can
scale
the
scale
down
the
the
cursor
or
do
a
bit
more.
B
Like
you
know
things
look
in
the
law
of
things
like
that,
okay,
so
this
is
the
the.
If
the
first
model
we
call
exclusive
cluster,
let
me
explain
using
the
way
I
interpreted
it.
Okay,
the
exclusive
cluster
here
means
is
actually
I.
Have
a
cluster
is
exclusive
used
by
a
group
of
user.
So
that's
exclusive
me.
So,
okay,
so
in
this
case
is
like
it's,
a
simplest
model
is
pretty
much
like
you
know
when
your
first
time,
you
know
create
your
your
cluster
right,
you
just
let
your
you
know
coworker
to
use
it
right.
B
It's
a
single
tenancy
right.
What
I
did
here
also
is
actually
basically
collapse,
the
rows
of
them
often
a
mean
and
developer.
So
no
such
a
things.
Actually
they
teach
a
Saudi
worker
and
the
cloud
mean
has
full
control
right.
Have
you
CSS
have
cluster
resources,
any
authorization
user
can
create
a
namespace,
and-
and
just
like
you,
probably
you
went
in
first
time-
create,
could
be
any
cluster
right
and
all
in
straight
service,
also
visible
to
all
authorized
user
means.
Actually,
if
test,
you
know,
you
allow
your
your
coworker
to
use
your
cluster.
B
Basically
it
would
he
can
or
he
or
she
can
delete
your
the
in
space.
Well,
cuz,
the
cluster
we
sort
of
is
invisible
to
all
the
user,
so
in
this
case
against
it's
only
the
the
dear
mean
actually
can
do
it.
So
this
is
a
bit
more
supporting
the
difficulty
there
off.
I
mean
you
know,
model
right,
so
the
the
light
blue
colors
is
the
things
actually
got
changed
from
the
exclusive
cluster
yourself.
So
you
actually
have
the
two
distinct
roles.
Now
we
preserve
that
right
and
a
cow.
B
The
cloud
mean
actually
then
dedicate
some
controls
to
the
DevOps
right
and
then
basically
the
elves
can
do
some
a
means.
Job,
like
you
know,
in
the
cluster
level
resources
right,
any
last
thing
is
actually
the
cluster
resources
are
the
the
color
change.
The
change
once
is
that
we
saw
a
lot
visible
to
all
authorized
developers.
It's
the
same.
Actually
developers
do
actually
bound
by
that
same
rule.
B
So
let's
go
to
the
share
cluster
and
then
we
will
do
the
demo.
Hopefully
it's
more
interesting,
the
the
share
cluster
right
so
share
clusters.
The
idea
is
actually
really
the
supporting
multi-tenancy
we've
seen
the
cluster
okay.
So
the
the
way
you
do
is
against
this
model
is
simplified
model.
We
collapse
the
day
above
the
mean
and
a
developer
right
and
then
basically
against
communists,
have
full
control.
So
you
look
at
the
right
diagram.
B
The
pictures
on
the
right
right,
so
what
it
does
is,
actually
we
acai
the
user
within
the
namespace,
so
we
use
the
namespace
isolate.
You
know
what
they
can
do
right.
What
we
saw.
Actually
they
can
see.
So
that's
actually
that
the
model
is,
and
also
of
course
is
they
are
just
developer.
They
cannot,
you
know,
see
the
custom
resource
as
user.
D
A
The
picture
might
be
a
little
bit
confusing.
Well,
I
mean
what
we
mean
by
each
column.
Is
it's
a
different
set
of
development
teams
that
they
can
use
different
set
of
namespace,
but
there
can
now
see
each
other's
namespace.
So
that's
a
difference.
So
it's
not
the
same
to
developer,
go
to
different
namespace
yeah.
B
It's
a
persona,
it's
not
like
it's
not
that
user
they
can,
but
you
know
it
depends
on
your
tree
is
more
like
persona
in
a
row.
Okay,
so
the
next
one
is
actually
against.
Is
you
know
gifted
is
distinguished
no
row
again,
so
it's
not
much
different
from
you
know
what
I
mean
is
that
the
main
differences
is
actually
against
the
the
the
default
means.
Lecture
has
a
bit
more
privilege
to
deal
with
the
cluster
level
stuff
right.
Look
at
the
dashboard.
Look
at
a
lot
right.
B
A
B
Can
you
see
okay,
perfect
right,
so
this
is
the
product
we
create
to
support
the
the
exclusive
cluster
and
then
I
share
custody
without
a
variation.
So
the
the
basic
model
right
I
already
create
two
cluster,
but
I
just
want
to
show
you
that
you
know
when
you
know
how
do
you
create
a
cluster
did?
Have
this
help
to
you
know
doing
their
demonstration,
so
less
Petain
electrically
when
I'm
not
gonna,
create
one
because
is
take
some
time.
D
B
I
have
ten
minutes
I
less
than
ten
minutes
left,
okay,
so,
okay,
so
let
me
try
to
pretend
I'm
create
exclusive
cluster.
So
actually
I
can
you
know
continue
to
do
my
demo,
so
so
first,
actually
I
picked
up
a
wider
right.
Why
the
in
the
stands
is
you
know
the
treated
as
the
the
IIAs
we
talked
about,
so
it's
a
it's
just
an
object.
You
know
present
in
there.
So
I
picked
a
provider.
Is
s
right
and
then
I
actually
just
quickly
go
through
it.
I
can
specify
like
the
cluster
name
right.
B
B
Yes,
thank
you
so
by
P,
for
X
is
exclusive
classes,
so
actually
I
picked
exclusive
cluster
in
this
case.
So
next
thing
is
actually
s
administrator,
so
I
always
see
you
know
a
bunch
of
users.
So
I
can
pick
the
user.
I
would
like
to
add.
You
know
allowed
to
assess
the
cluster.
So
in
this
case
I,
actually,
let's
say
I
picked
the
Deaf
one,
the
user
I'm
John.
They
only
allowed
him
to
doing
it,
but
for
the
Deaf
to
I
didn't
actually
check
it.
So
just
Nick's
right
and
then
you
just
click
finished.
B
You
would
try
to
create
a
custom
so
so
I'm
not
gonna
create
this
orange
is
just
close
this
window
and
then
I
already
create
exclusive
cluster
for
this.
So
actually
just
quickly
go
into
there
look
at
a
user
and
group,
so
the
users
already
like
what
I
you
know,
try
to
create
right.
It's
actually
the
determine
one
user.
Is
there
okay?
So
let's
do
it?
Demo
I
messed
up
the
window
a
little
bit
so
I,
probably
so.
This
is
the
Deaf
one
user,
like
assume,
make
sure
they're.
One
lock
use
a
lock
into
that
right.
B
D
B
So
let's
say
I
create
the
namespace
staff
right,
so
skirt
right
so
do
the
user
can
can?
Can
you
know
basically
just
like
a
developer
set
up
their
own?
You
know,
kuku
veneer
custo
actually
can
create
a
namespace.
You
know
do
whatever.
Basically
he
or
she
wants
right
and
then
let
me
find
the
death
to
user.
In
this
case.
B
A
B
B
Can
see
the
Deaf
one?
Is
there
okay?
So
that's
good
right
so
as
exclusive
cluster
I
can
use
by
a
group
of
people
right
and
and
then
they
can
actually
a
namespace
x-ray
like
that
right
and
then
let's
go
to
the
as
the
second
model
is
the
share
namespace,
so
I'm
actually
going
through
the
just
roughly
going
through
the
equation
again.
So
the
difference
is
actually
very
similar.
I'm
quickly
go
through
that
right
and
so
actually
I
see
let
that
actually.
B
Right
and
then
I
say
three:
three
okay
and
then
I
have
two.
She
let
the
share
cluster.
So
the
things
change
on
the
left-hand
sides
actually
there's
a
namespace.
Actually
you
it
used
to
be
his
user
in
groups,
but
now
I
actually
show
you
the
namespace
if
I
click
Next
okay,
so
we
asked
me
to
actually
you
know
you
want
you:
do
you
want
to
create
a
namespace
right,
so
actually
I,
say
well
sure
I
want
to
create
the
app
namespace
and
in
this
case,
I
allow
the
DEF
three
to
use
it.
Okay,.
C
B
I
just
say:
Nick's
is
read
similar
I'm
not
going
to
create
again
just
like
the
last
one,
but
I
show
you
the
the
one
actually
I
already
to
create
in
this
case
right.
So
in
the
share
clustered,
you
see
the
tabs
a
little
bit
of
different
for
the
exclusive
fun.
You
see
the
user
in
groups
here.
Actually,
as
you
saw,
the
namespace
I
click,
the
namespace
I
I
create
a
names.
Okay,
I
created
names
play
called
death
all
right,
and
then
you
know
the
only
user.
There
is
def
three
okay.
D
B
C
B
B
You
would
say
no
policy,
yeah
yeah,
so
basically
show
you
I
use
outback
namespace
actually
create.
You
know
two
type
of
cluster
one
actually
is
is
a
cluster
can
use
by
a
group
of
people
and
then
also
you
know
the
other
clusters
actually
can
support
like
multi-tenancy
MOU,
the
user
actually
belongs
to
attendance.
Attendance
cannot
see
the
other
tenants.
C
B
C
A
A
Fred
did
a
good
job
to
create
them,
essentially
the
multi-tenancy
and
to
create
multi-tenancy
with
the
namespace
in
our
back
concept,
was
the
pure
kubernetes
namespace
and
our
policy
right.
So
there.
If
you
go
to
the
multi-tenancy
talk
this
afternoon,
there
are
many
other
things.
Multi-Tenancy
said
this
afternoon.
There
are
many
other
things
Goofy's
talking
about
they're,
talking
about
BS
separation,
coda
separation
and
then
there's
a
potential
of
the
network
isolation.
So
we
are
working
on
those
things
and
eventually
we
should
be
able
to
offer
that
level.
A
B
Mapping
user
row
is
actually
depends.
The
the
authentication
placket
right
depends.
What
of
indication
plug
in
of
course,
in
our
case,
we
using
OpenStack
in
that
particular
implementation,
so
yeah,
oh
sorry,
I,
I,
correct
me.
If
I
didn't
actually
say
the
question
all
right,
the
question
is:
can
you
actually
maybe
actually
I
already
asked
the
question
again?
Sorry,
my
bad.
D
A
We
have
a
plug-in
on
the
backend
so
to
pull
the
user
from
all
the
backend
LDAP
and
then,
when
we
put
them
in,
we
just
map
them
there.
We
don't
do
anything
filtering
or
anything
which
is
both
of
me.
That's
all
yeah
yeah,
we,
the
bridge
the
plug-in
it
doesn't
really
matter
just
if
we
have
a
plug-in
yeah
poly.
So.
B
So
if
you
want
to
go
to
detail,
basically
the
the
authentication
plug-in
will
implement
a
few
things
right.
So
actually,
once
the
authenticate,
it
would
actually
put
the
user
and
row
in
the
contacts.
So
then,
actually,
when
you
pass
through
the
our
bag,
I'll
bet
will
basically
pick
up
the
user
and
and
and
and
group
or
whatever
right
in
the
contacts.
And
then
you
you
do
further
processing.
B
Yeah,
that's
the
limitation
right
now,
basically,
against
that
the
model
we
have
is
against.
This
is
have
limitation
right
right
now
we
don't
either
you
actually
have
to
limit
by
a
namespace
there's
only
two
models
is
bipolar
right
either
actually
are
bound
by
the
one
single
namespace
or
actually
you
assign
to
a
cluster
to
create
any
namespace.
You
well
I
understand
you
know.
Sometimes
you
want
to
actually
delegate
to
you
know
some
user
actually
can
create
extra
namespace.
We
can't
touch
about
that.
B
B
We
are
talking
something
about
future.
It's
not
that
weird.
We
have
an
income
in
that
out
there.
So
remember
my
Cosette
is
actually
it's
per
cluster,
so
I
I,
the
again
is
actually
the
authentication
part.
Is
you
look
at
that
red,
simple,
right?
Well,
I'm,
talking
about
the
the
isolation
of
resource
per
user
I'm,
not
even
touching
the
network,
you
know
it's
the
story,
things
actually,
let's
be
honest.
I'm
actually
not
cover
there,
but
let's
say
using
the
our
bet.
Let's
play
a
play
with
to
our
back
again
right.
C
B
What
do
we
to
do
is
actually
the
authentication
right.
You
have
the
comings
to
some
sauce
right.
So,
as
let's
say,
if
you
can
aggregate
that
right
and
basically
you
know
that
the
user
coming
in
is
the
same
user
right.
So
what
you
need
to
do
is
actually
you
have
to
push
down
the
our
bag
lose
to
all
the
cluster
right.
That's
one!
We
do
that
if
using
our
back,
but
you
know,
if
you
go
through
some
other
talks,
that's
many
different
way
to
enforce
it.
Yeah!
Oh,
if.