►
From YouTube: Virtual Cluster - A Practical Kubernetes Hard Multi-tenancy Solution - Fei Guo, Alibaba
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Virtual Cluster - A Practical Kubernetes Hard Multi-tenancy Solution - Fei Guo, Alibaba
Conventional, the concept of Kubernetes multi-tenancy is realized by namespaces. Tenants access controls are limited within tenant namespaces using RBAC rules. The Pod level isolation is primarily done using network policy. This model faces various problems when applied in production since Kubernetes is far from tenancy-ready. For example: 1) APIServer is lack of tenant-aware flow control. A single tenant may generate large amount of concurrent traffic making APIServer unresponsive to other tenants; 2) Tenants cannot install customized CRDs which requires cluster scope permission; We proposed Virtual Cluster solution to resolve the multi-tenancy problem from a different angle. Basically, every tenant will be assigned a dedicated K8s control plane. All tenant K8s shares a big super master. Virtual cluster is built based on CRDs. The entire solution is open sourced in Github.
https://sched.co/Zek6
A
So
multi
tenancy
has
been
us
required
by
many
kubernetes
users
for
a
long
time
from
company's
perspective,
multi-tenancy
impact
both
the
infrastructure
cost
and
the
rd
efficiency,
two
things
that
are
very
important
for
companies
growth.
However,
in
kubernetes
that
multiple
users
should
consume
the
shared
cluster
resource
in
your
isolated
manner
is
not
easy.
A
A
Let
us
reduce
the
problem
scope
a
little
bit
a
little
bit
by
looking
at
the
control
plane.
Only
is
this
possible
for
the
native
community
to
support
the
following:
multiple
tenant
users
run.
Their
workloads
in
a
shared
resource
pool
are
managed
by
a
kubernetes,
but
each
users
can
only
manage
their
own
workloads
and
pass
and
no
matter
what
they
do.
Other
tenants
shouldn't
get
to
be
affected
in
terms
of
the
security,
stability
and
manageability.
A
A
Unfortunately,
the
native
kubernetes
cannot
achieve
both.
In
this
talk.
We
will
see
how
virtual
cluster
can
provide
complete
control,
isolation
natively
so
that
the
user
doesn't
need
to
pay
any
integration
cost
a
little
bit.
A
brief
introduction
to
myself.
My
name
is
feiko,
I'm
a
senior
staff
engineer
from
alibaba
cloud.
I
work
in
the
cloud
native
application
platform
team.
I'm
currently
leading
a
few
communities
related
projects
in
the
area
of
service,
kubernetes
workload,
management
and
edge
compute.
A
Here
is
outline
of
today's
talk.
First,
I
will
present
the
virtual
cluster
architecture
design.
Now
I
will
talk
about
some
technical
challenges
that
we
face
and
how
we
solve
them.
I
will
show
some
experimental
results
to
show
that
virtual
cluster
is
a
practical
solution
and
then
I
will
also
compare
virtual
cluster
with
some
other
solutions
and
give
a
quick
summary
about
the
project
status.
A
Okay,
before
I
move
on,
I
want
to
emphasize
that
this
talk
solely
addresses,
kubernetes
control,
pronunciation
problems
and
the
data
pro
isolation.
Technique
techniques
will
not
be
discussed
in
this
talk
and
some
of
the
existing
solutions
may
be
referred
if
they
are
publicly
available.
For
example,
the
sandbox
container
technique.
A
A
A
The
tenant
user
may
generate
harmful
usage
patterns,
for
example,
the
denial
of
service
attacks,
but
sometimes
those
those
harmful
patents
is
not
generated
on
purpose.
It
can
be
an
accident
so
and,
and
and
lastly,
the
tenant
users
may
serve
other
users
as
well,
so
it
will
make
their
it
make
it
even
harder
to
predict
the
calendar
user's
behavior.
A
A
A
The
tenant
users
cannot
install
class
scope
resource,
which
means
they
cannot
install
crds
web
hooks,
create
scope,
rows,
etcetera.
This
limitation
can
be
a
big
help
mode
for
many
many
kubernetes
use
cases.
Overall.
We
need
to
find
a
way
to
enhance
the
current
namespace
based
multi-tenancy
model
in
a
kubernetes.
A
I
think
there
are,
there
are
many
possible
solutions
to
achieve
a
stronger
as
a
isolation
model
in
kubernetes,
but
when
we
design
virtual
cluster,
our
primary
concerns
are
in
four
aspects.
The
first
is
a
compatibility
we
need
to
make.
We
need
to
make
sure
our
solution
doesn't
change
any
api
existing
api.
So
in
order
to
reduce
the
100
users,
integration
cost.
A
A
A
A
A
Since
the
kubrick
in
the
node
olin
can
execute
the
supermaster,
we
need
to
find
a
way
for
tenant
a
user
to
access
their
parts
using
login
or
streaming
apis.
In
order
to
do
this,
we
add
a
proxy
in
each
node
called
vian
agent
in
in
the
tenant
master.
There
is
a
version
of
the
object
which
maps
to
the
physical
node
that
the
attendant
part
is
actually
running
on
the
version
of
the
object
points
to
the
via
agent,
so
that
the
video
agent
can
proxy
all
the
tenants
requested
to
the
couplet
over.
A
If
you
look
at
this
architecture
concept
wise
now,
the
supermaster
becomes
a
part
resource
provider
and
other
tenant
objects,
management
and
rba
control
happens
in
the
tenant
master
and
all
the
workload
controllers.
Extensions
crds
operators
are
installing
the
tenant
master
directory
based
on
the
user's.
A
Demand:
okay:
let's
see
how
this
design
fits
fits
in
our
criteria
from
compatibility
perspective,
we
didn't
change
any
object,
api
and
semantics
and
we
can
always
support
the
upstream
kubernetes
versions.
People
may
ask
the
differences
between
a
virtual
object
and
a
virtual
couplet
in
virtual
in
virtual
cluster.
Each
virtual
node
has
a
one-to-one
mapping
to
the
actual
physical
node,
which
means
the
part
affinity
and
the
pattern
of
affinity.
Semantics
are
the
same
as
before,
but
the
virtual
cubelet
does
not
necessarily
represent
a
physical
node.
A
In
many
cases
it
represents
a
group
of
nodes,
hence
the
node
semantic
actually
changed
in
terms
of
complexity
complexity,
our
thinker
only
seen
12
api
objects
from
the
tenant
masters
for
c
to
the
supermaster,
not
all
of
the
tenant
objects
and
everything
is
done
using
the
kubernetes
tensions.
The
complexity
is
limited
for
scalability.
A
A
A
Well,
the
benefits
of
this
design
are
clear:
there
are
no
noise
neighbors
anymore
and
when
tenants
cannot
see,
other
tenants
objects
at
all
if
one
tenant
hits
the
security
vulnerability
and
only
that
tenants
get
affected.
The
tenant
user
has
a
full
control
over
the
tenant
master,
which
provides
the
best
user
experience.
A
A
The
sinker
doesn't
change
the
part
name,
but
it
has
to
change
the
partner
space
in
order
to
avoid
potential
naming
conflict
in
supermaster.
Basically,
we
will
add
a
prefix
to
each
namespace
in
the
supermaster,
but
the
problem
is
that
the
user
can
log
into
the
parts
that
are
running
in
a
supermaster,
but
we
have
to
make
sure
the
user
recognizes
his
parts
running
his
tenant
kubernetes
instead
of
the
supermaster,
which
means
inside
the
part,
the
service
service
account
dns
settings
and
namespace
has
to
have
to
represent
the
tenant.
Config
configure
tenant
master
configurations.
A
It
sounds
like
we
have
to
change
the
couplet
to
achieve
this,
but
in
fact
we
didn't
do
that
the
thinker
doesn't
magic.
It
manipulates
the
pod
template
like
a
mutation
web
hook
for
all
the
environmental
variables
service,
recorder,
secrets,
hosa
lines
and
the
dns
config,
so
that
all
the
configurations
in
the
tenant
master
are
used.
A
A
A
A
If
you
look
inside
the
sinker,
they
are
per
object,
reconciler,
which
synchronize
the
object
based
on
the
states
in
the
tenant
master,
informal
caches
and
the
supermassive
informal
cache.
The
idea
is
that
by
looking
by
comparing
the
cache
states,
we
can
minimize
the
pressure
that
a
thinker
may
apply
to
all
the
masters,
regardless.
How
many
objects
needs
to
be
synchronized.
A
A
A
In
the
baseline
case,
all
parts
are
created
in
the
tenant
must,
in
the
super
master
directly.
So
from
this
figure
we
can
see
that
when
using
virtual
cluster
about
80
percent
of
parts
are
created
within
the
baseline
time
range,
the
vc
has
a
longer
pairs
because
of
the
queuing
latencies
in
the
sinker.
A
A
A
Okay,
virtual
cluster
is
not
the
first
trial.
There
are
other
solutions
that
address
the
kubernetes
control
plane.
Isolation
problem,
I
think
case
3v-
is
probably
the
closest
one
compared
to
virtual
cluster
in
k3b,
each
user
has
a
dedicated
control
plan,
which
is
a
modified
case.
3S
api
server
to
compare
in
virtual
cluster.
We
didn't
change
upstream.
Api
server,
also
increased
3v.
It
follows
a
per
tenant
sinker
model,
which
I
think
is
not
necessary.
If
you
look,
if
you
look
at
the
experiment,
experiment
results
I
showed
just
now.
One
sinker
can
support
multiple
tenants.
A
There
is
another
project
called
actos
which
modifies
the
eps
server
to
support
the
new
tenant
apis.
I
think
all
the
existing
plugins
have
to
be
changed
as
a
consequence,
also
in
october's.
If
you
use
a
shared
control
plan
for
all
the
you
for
all
the
users,
then
the
noise
neighbor
problem
still
exists
from
high
level.
Consider
wise
the
single
controller
and
the
virtual
corporate
have
similarities,
but
the
virtual
couplet
use
simplified
provider
interface,
so
it
always
has
some
compatibility
issues.
A
Okay,
last
last,
let
me
give
a
quick
summary
about
this
project.
So
virtual
cluster
is
a
multi-tenancy
working
group
project.
It
passed
99
of
the
kubernetes
conformance
test.
The
failed
ones
are
not
supported.
For
example,
there
is
a
one
field
test
case
asked
for
changing
the
super
master
sub
domain,
which
is
not
supported
in
virtual
cluster
virtual
class,
has
complete
unit
tests
and
annual
test
cases
which
covered
more
than
70
of
the
code.
A
A
A
As
you
can
see,
the
part
is
actually
created
in
the
supermaster
and
the
part
status
is
synchronized
to
the
tenant
master
inside
in
the
tenant
master.
We
have
a
stable
set
called
my
nginx,
but
in
a
supermaster
the
safer
set
is
not
seen,
which
means
the
workload
management
happens
in
the
talent
master.
A
A
A
A
A
A
Okay,
sorry,
I
think
there
are
some
technical
difficulties
to
play
with
the
demo
video.
Let
me
see
how
kind
I
think
I
need
to
work
with
the
team
to
make
sure
that
the
record,
the
recording
the
session
has
a
video
shows
up.
Another
thing
is,
I
think,
in
the
in
the
in
the
session
page
I
can
I
try
to
if
I
can
upload
the
the
slides
back
directly
and
the
video
is
embedded
in
the
slide
deck.
So
if
you
guys
have
time
you
can
just
try
to
play
it
locally.
A
I
think
mark
mark
just
mark
caller.
Just
ask
the
question:
how
do
you
manage
the
network
isolation
to
actually
prevent
unwanted
traffic?
I
think
that's
a
great
question
for
our
the
in
the
multi-tenancy
area,
but,
as
I
mentioned
in
the
flight,
so
this
slide
doesn't
cover
the
the
data
plane,
isolation.
Of
course,
the
network
solution
is
in
part.
I
think
there
are
parts
they
combine,
both
the
control
pronunciation
and
vertical
isolation.
A
I
and
I
do
believe
there
are
a
lot
of
ways
to
try
to
prevent
the
r1d
traffic
in
a
multitesting
model,
but
I
didn't
include
it
as
a
general
practice
best
practice,
because
the
network
startups
in
all
the
different
vendors
are
so
different.
For
instance,
in
some
vendors
car
vendors
use
an
epc
to
do.
You
know
a
narrow
isolation
for
individual
parts,
so
in
real
scenario
or
even
the
cognitive
service,
the
upstream
community
service
may
not
work
because
the
cookie
proxy
has
to
you
know,
access
the
node
in
a
network
stack.
A
Basically,
I
try
to
make
things
a
little
bit
simpler.
There
are
a
few
things
that
I
can
do.
First,
if
you,
if
we
use
the
vpc
model,
one
way
that
we
have
tried
internally
is
that
we
kind
of
change
the
kuvi
proxy
to
inject
rows
into
the
each.
You
know
parts
directly,
instead
of
in
part
namespace
directly,
instead
of
the
whole
network.
Namespace,
that's
one
way
you
can
do
if
you,
if
you
don't
use
the
vbc
network,
something
that
we
can
do
is
we
can
use
the
upstream.
A
You
know
network
policy
to
let
cra
csa
cna
plug
in
to
do
the
network.
Isolation
between
the
namespaces,
the
nice
thing
of
virtual
cluster
is
the
other
tenant
name.
Spaces
are
synchronized
to
supermaster,
so
exactly
that
is
the
one
you
were
mapping
between
the
tenant,
namespace
and
the
supermaster
namespace.
So
one
way
that
I
see
some
of
the
vcu
user
has
tried
is
they
can
come
up
with
their
own
network
policy,
create
throws
policies
into
the
tenant,
the
master
and
the
supermaster
double
sink.
A
The
policy
and
the
cna
plugin
can
honor
those
policies
then
to
to
provide
the
network
isolation
between
them
spaces.
As
a
as
native
kubernetes
does.
I
hope
I
address
some
of
your
concepts,
but
if
you
did
have
more
concerns,
let's
check
later
in
the
slack
channel
about
the
network
isolation,
there
is
a
one
question
from
the
kathy
who
asked
is:
what's
your
class
to
use
in
production
by
any
any
users?
A
So
currently
we
have
virtual
class
has
been
uniting
some
internal,
the
the
product,
but
it
has
not
been
exposed
to
any
use.
Yet
so
in
our
model
is
the
service
product.
So
there
is
a
small,
you
know
part
layer
to
encapsulate
the
virtual
cluster.
So
the
the
end,
the
user,
doesn't
directly
access
to
the
virtual
cluster,
but
I
don't
think
there
is
a
a
technical
difficulty
is
to
impose
the
virtuality
and
the
user
because
in
theory
many
of
the
existing
service
products
kubernetes
does
all
the
same
thing.
A
Each
tenant
has
its
own
tenant,
the
virtual,
the
tenant
master
and
that's
the
interface
that
we
can
provide
owning
additional
concerts.
That
I
can
think
of
is
the
the
privileges,
the
recovery
you
think
about
what
are
the
rights
you
know
service
account
kind
of
what
are
the
right
permissions
that
these
channels
can
operate
on
the
virtual
cluster,
but
for
not
exactly
the
security
perspective,
most
likely
for
the
stability
perspective.
You
don't
want
tenants,
you
you,
you
know
easily
to
to
make
some
mistakes
and
break
down
this
virtual
cluster.
A
The
tooling
wise.
I
see
some
challenges
on
the
tooling.
So
as
far
as
I
can
see
now,
the
biggest
challenge
is
the
dns
the
we
have
to
in
kernel
model.
We
have
to
make
slightly
change.
If
you
look
at
our
github
page,
I
I
I
explained:
how
did
we
just
store
the
tenanted
dns?
That
probably
just
has
a
one
line.
A
Change
to
the
upstream
coding
sg
in
order
include
cooperate
with
this
model
for
the
to
make
sure
the
tenant
dns
works,
but
that'll
be
we
provide
a
guideline
in
the
github
page
and
they
should.
It
is
very
straightforward
and
you
can
easily
understand
what
I'm
trying
to
do
in
there
in
the
queue
allow
the
dns
work.
A
Oh
okay,
I
gotta.
The
latest
question
is
the
question
is
from
way
the
question
is.
I
cannot
link
the
multi-tenant
project
to
solve
this
concept.
So,
okay,
so
do
you
have
any
thoughts
on
it?
So
let
me
explain
a
little
bit
so,
in
my
opinion,
the
service
in
the
service
contact
subject
the
problem,
the
whole
problem,
the
the
idea
is,
we
will
have
a
node
which
is
shared
by
multiple
tenants.
So
the
the
tenant
users
doesn't
have
the
the
ownership
over
the
node
resource.
They
only
have
ownership
to
the
part
resource.
A
A
So
in
all
the
multi
cluster
models,
each
channel
will
have
a
dedicated
cluster
but
rose
battery
clusters.
Also
connect
to
a
dedicated
approval,
node,
so
rose
nodes
can
only
use
by
one
of
the
tenants
in
order
to
provide
strong
isolation.
The
problem
is
the:
u.
No
node
utilization
cannot
be
optimized,
because
if
the
tenant
doesn't
use
the
rules
no
resource,
the
nodes
will
become
just
idle.
The
the
whole
purpose
of
this
service
model
is
trying
to
improve
the
node
utilization.
A
Make
sure
you
know
the
the
the
hardware
resource
can
be
used
by
many
tenants
without
any
interference
or
any.
You
know,
isolation
concerts
between
those
tenants.
So
that's
why
we
start.
We
start
this
project
and
if
you
look
at
our
model,
the
node
we
do
expose,
unlike
virtual
coordinators,
so
the
node
is
completely
abstracted.
We
try
to
you,
know
maximize
the
you
know
the
the
the
node
semantics
in
the
kubernetes.
So
that's
why,
in
our
virtual
cluster,
we
have
a
virtual
node
object
which
actually
maps
to
the
real
node.
A
So
you
can
see
the
everything
that
you
probably
about
load
capacity,
no
name.
What
are
the
parts
running
in
the
node?
So
those
information
are
available
so
from
the
tenant's
perspective,
but
the
but
the
users
just
can
cannot
say
that
I'm
dominating
you
know
that
nobody
else
can
use
it
at
this
moment.
A
Node
is
just
a
part:
research
provider,
there's
no
ownership
for
the
node.
So
notice
ownership
is
belongs
to
the
supermaster.
So
that's
so
that's
a
that's
my
view
to
you
know,
mapping
this
project
to
your
service
concept.
I
hope
I
address
your
content.
So
if
you
do
have
more
questions
about
this,
so
we
can
check
later
in
the.
A
A
Yeah,
I
do
apologize
that
the
the
the
demo
video
is
not
showing
up
yeah.
We
have
some
problems.
While
I
do
the
video
recording,
I
hope
we
can
resolve
it
later
and
especially
if
you
have
a
replay
in
the
youtube
somewhere
and
that
demo
will
show
up.
Also,
I
try
to
you
know
see
if
I
can
upload
the
powerpoint
directory
in
the
project
page
all
right.