►
From YouTube: Logical cluster deep dive
Description
A discussion around how logical clusters are implemented in kcp and how we might approach enabling priority & fairness per logical cluster (i.e. per workspace)
A
It
is
only
for
internals
of
kcp
to
function
so
existing
clients
or
existing
controllers
that
are
able
to
talk
to
kubernetes
or
openshift
or
anything
that
looks
like
kubernetes
or
openshift
from
an
api
perspective
will
continue
to
function.
Discovery
exists,
so
everything
you
could
do
in
client
go.
You
can
do
against
a
kcp
workspace.
A
Some
resources
may
not
exist
so,
like
kcp
doesn't
have
pods
out
of
the
box.
So
if
you
have
a
controller,
that's
trying
to
manipulate
pods-
and
you
point
it
at
kcp-
it's
probably
not
going
to
work,
but
if
you're
just
working
with
namespaces
and
custom
resource
instances,
all
of
those
mechanics
will
function
if
you're
trying
to
write
a
controller
or
a
client
that
is
able
to
talk
to
multiple
or
across
multiple
logical
clusters.
A
A
A
This
we
add
a
cluster
segment
in
between
the
resource
and
either
the
namespace
or
name
for
all
of
our
built-in
types.
So
that's
for
namespaces
secrets,
services
or
sorry
service
accounts
that
sort
of
thing
anything
that
is
a
custom
resource
instance
will
have
registry
group
resource
and
then
either
an
identity
or
the
fixed
string,
custom
resources
for
the
purpose
of
this
discussion.
A
What
those
mean
is
not
relevant,
so
I'm
going
to
skip
over
it
and
then
just
like
we
saw
down
here,
we
do
have
a
cluster
segment
that
precedes
an
optional
namespace
and
the
name-
and
this
is
how
we
introduce
multiple
logical
clusters
into
an
xcd
store.
That's
back
in
kcp
and
then
all
of
the
code
in
the
kcp
fork
of
kubernetes,
which
is
in
kcp
dev
cooper.
C
A
A
A
A
So
if
you
look
at
get,
for
example,
get
will
determine
the
logical
cluster
name
from
the
context.
This
is
something
that
kcp
is
responsible
for
setting
in
a
couple
different
places
why
my
font
size
went
down.
But
if
we
trace
like
you'll,
see
that
there's
a
whole
bunch
of
places
where
this
with
cluster
function
is
invoked.
And
so
you
can
go
look
in
the
places
here
and
they're,
also
in
kcp.
A
A
B
A
A
A
It
would
be
slash
clusters
and
then
you
would
have
a
cluster
name
and
then
the
remainder
of
the
request
would
be
a
standard
request
that
you
would
make
to
kubernetes
or
openshift
so
slash
apis.
Some
group
some
version
some
resource.
It
could
be
slash
api,
v1,
slash
secrets,
so
anything
you
can
do
in
terms
of
metrics
health,
liveness,
probes,
apis,
api
requests.
All
of
these
have
a
prefix
with
the
cluster
there.
A
So
once
we
are
decoding
data,
that's
coming
out
of
ncb,
we
set
that
and
then
that
is
available
to
anywhere
in
the
code
base
that
needs
to
work
with
it
and
the
logical
cluster
package
or
repository.
That's
in
kcp
allows
you
to
take
any
basically
anything
that
has
a
get
annotations
method
on
it,
which
is
all
kubernetes
objects
and
you
can
call
logicalcluster.from
and
that
will
return
a
logical
cluster
name.
That's
been
decoded
from
those
annotations,
and
so
what
you'll
see
is
logicalcluster.com.
A
A
The
there's
a
whole
lot
in
here
so
custom
resources,
for
example,
we'll
take
a
look
at
the
crd,
get
its
logical
cluster
and
use
that
as
part
of
establishing
crds.
So
there's
a
whole
bunch
of
code
in
kubernetes
in
our
fork.
Where
we
are,
you
know,
injecting
or
doing
some
logic
that
involves
the
logical
cluster.
D
D
B
D
A
Each
isolated
cluster
is
what
we're
calling
a
logical
cluster.
So
one
advantage
to
this
is
if
you
and
I
are
both
sharing
kcp
and
I
have
a
logical
cluster
and
you
have
a
logical
cluster.
We
can
each
create
the
exact
same
crd
in
terms
of
group
version
and
resource,
but
my
crd
could
look
100
different
from
your
crd
and
they
will
not
collide
with
each
other.
A
B
D
D
A
Right
yeah,
so
every
workspace
has
a
logical
cluster.
Not
every
logical
cluster
has
a
workspace
and
the
the
logical
clusters
that
don't
have
workspace
are
reserved
for
internal
kcp
system
use.
So
there
are
privileged
kcp
admin
level.
Clients
that
can
go
do
things
with
these
logical
clusters
that
don't
have
workspaces,
but
you
generally
don't
need
to
know
much
about
that
or
worry
about
that.
C
A
Let's
say
that
you're,
I
don't
know
you're
doing
cert
manager,
because
that's
our
canonical
example,
so
cert
manager,
today
only
operates
against
things
in
a
single
cluster
makes
sense
that
that's
what
clusters
are
they're
standalone,
cert
manager
could
be
updated
so
that
you
could
install
one
copy
of
it
and
it
could
handle
certificate
requests
in
any
logical
cluster
across
all
of
them.
If
you
don't
rewrite
or
modify
cert
manager
or
any
other
controller,
then
you
have
to
have
one
copy
installed
per
workspace.
A
A
A
It
just
references,
my
name
and
then
once
I
have
that
api
export
defined,
then
I
am
able
to
look
at
its
status
and
there's
a
special
url
in
there
that
I
would
consume
and
use,
and
if
I
access
that
url,
I
have
the
ability
to
do
a
wildcard
list
and
watch
and-
and
I
can
do-
I
can
do
individual
crud
operations
per
logical
cluster
or
per
workspace.
So
if
I
know
that
you
have
a
certificate
signing
request
in
your
workspace
abc123,
I
would
have
a
url
that
looks
like
clusters.
A
B
C
C
A
A
C
A
Any
I
must
not
have
any
findings
on
this
all
right,
I'm
not
going
to
try
and
make
this
work
on
the
fly,
but
basically
this
is
what
you
would
do.
Is
you
would
you
would
go
through
the
virtual
workspace
url
for
the
api
export
and
then
you'd
be
able
to
see
these
things
and
operate
on
them?
So
if
I
wanted
to
do
something
on
a
single
single
one,
I
could
be.
You
know,
root
abc
one
two
three,
and
if
this
particular
thing
existed,
I
could
I
could
get
it.
I
could
create
it.
A
C
A
A
A
D
A
But
so,
if
I
create
a
thousand
workspaces
that
has
no
bearing
on
this
function
being
invoked
because
it's
invoked
when
the
api
type
is
added
to
the
api
server.
So
that's
when
the
built-in
types,
like
secrets
are
registered.
It's
whenever
a
crd
is
created.
It's
going
to
do
that
per
crd,
and
especially
with
the
api
export
bit
that
I
was
showing
a
few
minutes
ago
when
I
create
an
api
export
for
certificate,
signing
requests.
A
B
B
A
D
Sure
sure
yeah
I
need
some
time
to
digest.
Whatever
you
just
said
and
look
more
into
the
code,
and
I
might
have
some
questions
about
how
you
know
an
incoming
request
is
dispatched
or
does
it
really
make
any
difference
if
there
it?
The
request
is
to
crd
within
a
workspace
or
or
it
doesn't
really
make
a
difference.
D
The
when
I
say
make
a
difference
I
mean:
is
it
the
same
hand
handler
chain,
that's
servicing
that
or
yeah
yeah.
So
there's
no
like
individual
handler
chain
per
workspace
right.
It's
all
served
by
the
same
handler
chain,
but
there
might
be
different
actions
depending
on
the
workspace
or
logical
cluster.
There.
A
Resource
quota
is
running
a
variety
of
go
routines
per
workspace,
so
we
like
that's
just
an
example
of
where
we
have
multiple
controller
instances
and
multiple
admission
instances
where
it's
one
per
workspace,
we'll
do
the
same
thing
for
garbage
collection
when
we
implement
it
other
things
like
the
tokens
controller
rather
than
running
one
token
controller
per
logical
cluster.
We
run
one
token
controller
and
it's
handling
across
logical
clusters.