►
From YouTube: 20200630 Kubernetes Working Group for Multi-tenancy
Description
Xiaoning Ding will walk through multi-tenancy features of Arktos (https://github.com/futurewei-cloud/arktos), and see if the community is interested in working together to upstream some of them to Kubernetes
A
B
B
B
B
This
project
is
a
open
source
and
it's
licensed
under
Apache
2.0
Actos
is
derived
from
kubernetes
at
the
village
diamond
core
design
enhancement
by
deriving
from
cognates
I
mean
why
we
take
the
kubernetes
codebase
and
applied
our
design
enhancements
on
that
so
far
where
we
are
mostly
working
on
this
key
husband.
Firstly,
the
native
vm,
orchestration
multi-tenancy
and
the
scale
bridge
and
some
cloud
age
scheduling
for
today's
talk.
B
C
B
Yeah,
actually,
it's
kind
of
in-between
we
are
all,
probably
all
from
which
we
were
based
in
Seattle.
We
ourselves
a
kind
of
research
group,
but
this
project
will
be
a
standalone
project.
We
also
looking
for
industry
adopters,
because
only
only
by
getting
feedback
from
the
real
real
product
environment
we
can.
We
can
move
forward,
so
it's
kind
of
in-between.
We
we
tested
some
ideas
here,
but
we
also
want
to
be
adopted
in
the
real
in
the
real
production
environment.
Okay,
thanks
and
for
all
the
features
into
the
community
community
is
interesting.
B
B
B
And
this
is
an
overview
of
our
multi-tenancy
vision
over
our
our
regions.
We
want
to
enable
multiple
organizations
to
safely
and
easily
share
a
physical
cluster
infra.
We
all
know
that
they
are
different
models.
Our
model
Helen
see.
What
we
implement
is
a
is
a
kind
of
what
you
cluster
model.
We
know
in
the
communities.
There
is
also
a
project
to
cut
what
your
cluster
the
difference
here
is.
Our
vertical
is
based
on
one
copy
of
control
plane,
it's
kind
of
beauty
in
changes,
making
changes
where
we
don't
deploy
separate
control
plan
for
each
Talent.
B
Instead,
all
the
talents
that
share
one
running
control
plane
and
they
are
all
isolated.
If
we
look
at
the
diagram,
our
left
side,
we
can
see
there
are
two
talents,
each
of
them
access
the
physical
cast
as
if
they
own
the
physical
cluster
exclusively,
and
they
are
also
using
the
natural
kubernetes
api.
B
B
D
B
Our
hood
is
concept
cutter
space.
This
space
is
actually
a
new
layer
in
the
resource
hierarchy,
so
with
space
we
will
break
the
whole
I
guess
server
into
different
pieces.
Each
Tanana
has
a
header
space
and
the
inside
his
space
he
can
has,
he
can
have
always
resources
and
each
API
object
will
be
located
in
one
space
and
only
in
one
space
here,
I
put
a
tool.
Examples
you
can
see
on.
B
The
left
side
will
have
a
pod,
which
is
a
namespace
scope,
object
right
and
the
PV
is
a
non
namespace
scope
object
and
they
are
both
under
on
the
space
called
QR.
To
do
some
of
historical
reasons.
In
the
actual
code
implementation
we
use
tell
in
the
for
space,
are
they
actually
the
same?
We
probably
were
changing
and
changing
naming
later
and
on
the
right
side.
You
can
see
how
physically
these
objects
are
stored
in
ethnicity
and
to
help
customer
developers
easily
to
tell
which
space
object
is
located
e.
B
B
A
B
Whenever
a
talent
object
is
created
in
a
system
space,
our
talented
controller,
which
which
watches
the
talent
object,
we
were
kicking
and
it
will
create
a
corresponding
space
for
this
talent
object,
and
it
will
also
initialize
this
space
with
this
default
namespaces
and
also
are
the
default
objects.
So
this
space
will
look
like
to
to
to
a
tulip
element
where
look
like
the
Li,
hua
kubernetes
connection.
So.
B
B
E
B
Yeah,
for
now
we
are
focusing
on
virtualized
kubernetes
features.
We
didn't
the
introducer
and
new
features
like
a
hierarchy.
Namespace.
We
didn't
you
introduce
that,
but
the
technically
for
the
hierarchical
namespace
increment,
it's
probably
can
be
implemented.
It
can
be
used
inside
a
wall,
space
I.
E
B
G
B
G
B
B
We
have
now
in
our
space
and
we
can
create
a
space
for
for
talent
and
the
talent
that
can
create
always
resources
inside
a
space,
so
alternates
our
isolation.
But
there
is
a
big
problem.
Well,
after
we
introduce
this,
we
actually
create
api
compatibility
right
because
for
now
for
other
HR
resources,
you
can
see
the
resource.
Url
has
changed.
We
introduced
new
way.
I
did
inserted
a
new
layer
there
to
solve
this
problem.
We
introduce
a
new
concept:
cutta
cutta,
cutta
half.
This
is
really
a
key
part
in
our
design.
B
This,
and
this
help
us
makes
the
whole
IP
I
like
about
the
compatible
and
make
all
our
changes:
trans
almost
transparent,
210
on
the
user's
the
idea.
Actually,
it's
a
visa
is
single.
We
we
modified
that
we
modify
the
on
the
aina
pointer
any
pointer,
handle.
It
seems.
Our
cache
server
user
can
use
a
full
path
to
access
the
API
object
or
they
can
use
a
short
path
to
access
object.
B
B
C
B
C
B
C
Thanks
yeah
yeah,
like
that's
one
reaction,
I
have
right
now
is
that
I
would
want
to
operate
like
I
would
be
a
member
of
multiple
tenants
simultaneously.
For
example,
like
imagine,
I'm
a
super
admin
and
I'd
want
to
be
able
to
where's
that
only
needed
for
this
short
path.
Resolution
like
if
I
am
yeah.
B
B
C
B
In
this
diagram,
I
give
an
example:
we
have
a
2,
regular
talents
to
our
energy
to
their.
The
issuer.
I
can
request
that
you
use
the
original
IP
I.
The
access
resource
same
object
for
the
pure
in
namespace
and
s1,
but
after
this
short
pass
a
resolution,
it
will
be
automatically
change
to
the
full
path
to
the
corresponding
object
in
in
different
spaces,
but
the
tool
to
this
Helen
uses
these
are
all
transparent,
which
means
they
can
use
all
their
original
communities
API
and
the
tools
like
a
cupola
and
some
old
stuff.
The.
G
G
G
B
B
In
fact,
they
are
using
their
initial
pass,
yeah.
Well,
when
they
least
watch
using
clinical
their
most
of
the
time
they
just
append
a
new
parameter
called
a
telethon.
All
there
were
lists
all
the
objects.
If
they
want
to
access
a
specific
yeah
yeah,
then
they
need
to
put
it
at
ten.
In
the
name
is
a
a
icon,
but.
B
That
one
using
the
API
object,
then
let
me
give
you
example:
let's
say
you
have
a
job
controller
Aqualad
right
it.
It
needs
to
watch
all
the
thoughts
object,
so
it
is
still
use
the
original
code.
But
in
the
list
watcher
API
call
it
use
a
additional
parameter,
correct
and
all
the
work
at
all
the
objects.
And
then
we
know
when
the
process
is
in
the
video
object.
It
knows
which
object
belong
to
a
specific
talent,
because
we
have
this
field.
Okay,.
B
In
the
access
control
part
for
authentication,
we
support
all
the
authenticators.
We
just
add
a
new
field
in
the
corresponding
Authenticator,
for
example,
and
in
the
third,
where
user
will
use
a
see
him
for
the
tenant
name
and
the
for
talking
and
and
look
here.
We
append
an
additional
field
to
indicate
which
tenant
this
this
user
belong
to,
and
we
put
it
in
as
the
last
field,
so
it
can
be
compatible
with
the
original
identity
definition
format.
B
B
We
plan
to
support
across
talents
access,
but
unless
another
time
yet
where
we
are
working
on
that
know
all
the
other
access
control,
the
SDR
performed
by
the
current
communities,
access
control
mechanism
like
the
rule
and
the
clustered
rule,
so
the
code
is
changing
here,
actually
is
not
big.
It's
very
it's
a
very
small.
We
just
add
some
additional
checks
in
the
Bekaa
authorizer
or
iraq.
Riser
like
this
like
this.
So
am
sorry.
E
H
H
B
Second,
so
this
is
a
the
general
access
control.
I
know
this
is
a
diagram,
how
we
do
the
resource,
access,
combining
access,
control
and
the
short
pass
it.
So
it's
basically
a
person.
We
first
check
you
for
the
target
space
here.
If
it
is
specified
not
if
it's
not,
then
we
try
to
give
in
further
space
from
the
user
identity.
B
I
B
Groups
yeah:
we
did
in
the
changes
that
apart
we're
only
first
up
for
user
identity
and
come
daniel
has
a
you
username
and
the
group
right.
We
still
keep
that
we
just
add
a
third
property
which
is
tender
and
the
you
know
a
bag.
We
keep
all
the
original
code
and
we
just
add
additional
checks
on
this
telling
the
property
I.
I
B
And
then
now
we
talked
about
the
clinical
and
the
controller
changes
Putin
or
I
talked
about
earlier
was
about
the
changes
in
API
server
right
for,
for
the
clinical,
we
add
the
tenant
as
an
additional
parameter
in
most
of
the
CID
methods.
This
part.
Actually,
we
can
optimize
the
design
since
the
in
the
latest
version.
We
introduced
the
context
in
communities
clinical,
and
we
also
in
defining
a
special
and
impendent
at
all.
It's
like
a
namespace
at
all,
so
you
can.
B
So
if
we
are,
if
for
the
controller,
is
running
as
a
system
credential
it
can
cross,
it
can
perform
across
space
Lister
watch
for
for
all
the
controllers
and
schedulers,
then
they
need
to
make
some
small
code
changes
this
here
at
least
some
example
code.
It's
the
kind
of
typical
changes.
This
changes
this
all
these
changes
are
very
similar.
They
are
not
the
non
related
to
the
controller
submissive
logics
it's
mostly
about.
B
When
you
listed
up
there
you're
interested
objects,
you
use
talent,
all
not
all,
so
you
can't
get
all
the
objects
from
our
spaces
and
then,
when
you
do
a
certain
time,
we
need
to
object
the
queering,
updating
or
correlation.
For
example,
in
our
controller,
you
probably
need
to
correlate
a
replica
set
object
to
its
post
object
right
previously,
only
based
on
namespace
and
the
label
select
button.
Now
you
need
to
put
an
additional
comparison,
compares
a
this
talented
field.
That's
all
all
that
all
the
control
the
changes
are
very
similar.
B
B
J
B
B
B
So
we
kind
of
we
reinterpret
some
concepts,
for
example,
for
the
for
some
regular
operation
like
creating
namespaces
the
resource
resources,
the
parts
they
are
already
isolated
by
space,
so
there
are
no
problem
and
tenants
can
also
reuse.
This,
like
a
class,
draw
or
class
the
rule
of
binding
or
resource
quota,
it's
all
same
to
the
tenant,
Adam
II,
but
these
objects
will
only
apply
to
the
to
its
own
space.
B
For
example,
if
for
a
talent,
admin
creates
a
class
the
rule
binding,
this
will
only
apply
to
the
namespace
within
its
own
space,
it's
kind
of
transparently
limited
to
its
own
scope,
but
but,
as
this
whole
thing's
the
transparent
to
the
tenant
at
me,
he
doesn't
know
this
has
been
limited.
He
thought
his
working
on
the
whole
entire
cluster.
B
B
B
Previously,
we
have
a
question
about
the
CID
supported
right
in
our
design.
We
we
already
we're
already
implemented
and
the
way
we
actually
divide
us
the
ideal
into
two
different
types
of
Saudis.
First,
we
cover
the
screaming.
First,
we
call
the
Patel
in
CID.
This
is
all
backward
compatible.
You
can
Italian
that
can
install
any
existing
CID
and
operators.
Without
any
modifications
you
don't
need
to
change
the
Yama
fires
or
operator
codes
or
recompile
operator
codes.
It
simply
runs
as
little
war.
It
was
before,
but
only
inside
the
telling
the
current
Italian
space.
B
If
we
look
at
the
diagram
on
the
left
side,
let's
say
we
have
three
talents
and
each
talent
install
are
different
CID.
This
society
will
only
be
visible
to
the
current
talent.
It
will
not
impact
other
talents
but
way
during
the
implementation
we
realize
there
are
some
see
ADIZ.
There
will
be
commonly
used
by
all
talents.
For
example,
now
some
virtual
networking
solutions
are
based
on
status
and
some
storage
solution,
also
based
on
status.
This
is
very
likely
to
be
used
by
other
talents.
B
Technically,
we
can
still
have
deployed
them
as
a
as
a
patella
society,
but
imagine
on
a
large
cluster.
Let's
say:
if
we
have
1,000
talents,
then
we
need
to
deploy
1000
the
copies
of
these
operators.
You
know
operators
and
the
CID
division.
So
to
optimize
this
we
introduced
a
new
concept
called
a
system
CID
for
system
CID.
You
only
need
to
deploy
one
copy
in
the
system
space
and
then
you
after
you
test
after
they
tested.
We
find
it
is
working
fine.
B
You
apply
a
special
annotation
on
the
list,
a
ID,
and
then
it
will
be
automatically
visible
in
all
the
talent
spaces.
The
good
thing
is
that,
with
this,
with
this
system
CID,
you
only
need
to
deploy
one
copy.
You
don't
need
to
run
the
operators
in
in
all
the
talent,
talent,
spaces
look
yeah,
but
the
requirement
is
for
the
operator.
It'll
need
to
do
some
slight
code,
modifications
to
use
the
tenant
on
all
to
watch
all
the
CR
objects
in
different
namespaces
in
different
spaces.
E
A
B
F
Yeah,
this
is
Chen
and
I'm
the
one
who's
working
on
CRT.
Now
it's
like
we
are,
we
are
working
with
so
once
we
have
a
system
CRD.
We
think
like
it's
a
it's,
the
one
that
what
takes
a
control
code.
Basically,
the
system's
the
re
work
covers
the
preparing
the
CRT,
so
you,
you
won't
see
the
pertinency
ID.
That's
that's!
That's
our
design!
So
far,
yeah.
B
F
F
F
Think
you're
concerning
about
their
the
steamer
conflict
right.
Is
that
it's
a
question
so
so,
basically
it
so
I
would
I
say
if,
once
we
have
the
system
CRT
bases
that
one
the
designs
the
system
one
would
be
will
take
control
because
we
want
to
once
the
system
tenant
deploy
its
the
RT.
We
wanted
to
be
consistent
across
the
whole
cluster,
so
it
were
kind
of
over
once
over.
C
Lightly
and
it
correct
me
if
I'm
wrong,
but
I,
think
the
question
Nick
was
asking
is
let's
say
the
two
tenants
have
installed
different
versions
of
the
same
CRD,
but
they
didn't
like
actually
record
them
as
different
versions,
so
they
they
both
happen
to
install
a
pertinent
Ciardi
called
foo,
and
then
the
system
user
lists
all
objects
that
are
of
type
food.
In
that
case
that
the
resulting
list
that
you
get
will
have
resources
from
two
different
spaces,
with
two
different
schemas.
Okay,.
F
C
F
Thank
you.
Thank
you.
Thank
you
for
clarification,
I
call
big
question.
Now
it's
like
okay,
the
solution
is
like
like
two
tenants,
regular
tenants.
They
have
their
OCR
D
and
they
they
can
different.
They
have
their
freedom
to
define
their
ceoddi
so
or
same
gbk.
They
have
different
schemes.
In
that
case,
you
see
in
the
picture
on
the
left
after
the
system.
Tenants
does
not
have
idea
on
this.
Cr
D
so
for
such
tenant
only
see
our
T's.
F
E
Yeah,
so
it's
it's!
It's
a
similar
situation
for
like
sub
resources
like
if
we
used
an
analogy
like
sub
resources
of
you
can't
do
a
list
of
the
status
across
the
set
of
resources.
You
have
to
get
the
entire
objects.
It's
a
similar
situation
here.
I
can't
do
a
list
across
the
seer
the
see
ours
for
several
tenants.
Oh
yeah.
B
A
B
C
A
lot
of
the
the
issues
would
be
overlapping
because
I
think
what
Rodolfo
wanted
to
talk
about
was
the
possibility
of
adding
names
based
CRTs
to
kubernetes,
as
it
is
today
and
I
think
you've
run
into
a
lot
of
the
same
kinds
of
issues
like
what
happens.
If
I
do
a
list
across
multiple
names
faces
now,
I'm
gonna
have
different,
schemas
and
different
namespaces
that
that's
I
think
it's
good
to
talk
about
both
of
these
but
yeah
I.
Think
at
this
point
we
won't
have
enough
time
to
do
rudolfo's,
okay,.
B
B
And
the
so
far
we
have
talked
about
the
control
planning
our
design,
but
they
are
also
isolating
in
the
happening
in
data
playing
for
the
wrong
time.
For
the
wrong
time,
I
mean
the
OS
kernel.
Isolation
will
use
the
cutter
toast
about
that
and
the
for
storage.
So
far,
there
are
no
changes,
because
the
most
restorative
providers
already
have
provides
the
volume
based
isolation.
B
The
most
complicated
part
is
in
network
because
so
far
the
kubernetes
has
a
flattened
network
model.
Each
part
is
reachable
from
another
pod
right
and
relied
on
manova
policy
to
the
to
the
restitution.
But
when
you
have
a
multiple
multiple
talents
sharing
one
single
physical
cluster,
you
don't
want
to
the
talents
and
worry
about
this
IP
allocation
or
IPA
conflicts.
B
So
we
introduced
a
new
multi
network
model
and
currently
we
are
still
working
on
that,
and
so
today,
I
I
don't
have
a
time
on
to
too
much
detail
to
share.
We
can
discuss
later.
You
forgot
interested,
but
there's
a
key
idea
is
that
we
introduced
a
new
API
object
called
a
network.
This
is
a
kind
of
abstraction
how
an
isolated
Network
this
API
object,
type
like
it's
like.
As
a
network
policy
object,
it
can
be
implemented
by
any
external
network
providers.
B
C
B
K
No,
no
I
know
what
you're
introducing
a
new
object,
but
there
is
something
called
a
network
attached
definition
that
seems
like
Malta's
and
other
things
are
relying
on
right.
So
there's
already
a
network
object.
That
I
think
gives
you
some
of
this
comes
for
you.
You
could
provide
IP
space
and
static
routes
and
unique
DNS
and
defaults,
and
things
like
that
and
you
can
associate
them
with
namespaces.
It
felt
like
you
could
always
use
that
and
expand
it
to
into
to
support
spaces.
A
G
B
G
B
No
now
we
do
not
require
an
IP
table
could
proceed
depending
on
which
network
provider
we
use
like,
for
example,
now
we
use
a
V
PC
based
provider
to
implement
and
an
object
on
another
way.
It's
actually
not
the
traffic.
Another
come
Institute
proxy.
It's
going
through
the
leads
to
provide
a
specific
car.
I
It
is
the
primary
goal:
they're
wanting
to
have
uniqueness
of
IPs
or
as
long
as
there
is
a
network
isolation,
it
doesn't
matter
whether
each
one
have
its
own
IP
allocation,
like
example,
if
if
there
was
not,
if
there
was
a
network
shared
between
two
tenants
or
two
spaces,
as
long
as
the
isolation
was
guaranteed
between
two
different
tenants,
does
it
matter
whether
they're
sharing
a
network
or
not?
Oh
yes,.
B
This
is
a
good
question
because
in
our
design
we
want
to
support
a
mostly
demanding
scenario
which,
in
the
public
cloud
in
that
a
scenario
each
attendant
shouldn't
be
aware
of
each
other.
So
if
you
are
sharing
Wang
Network,
but
you
using
some
policy
to
limited
access,
one
tenant
I
can
still
feel
like
as
a
existence
of
other
talents,
because
some
IP
yeah,
no,
they
are
not.
They
are
not
available
some
idea
available.
They
need
to
know
which
IP
range
it
can
it
can
use
when
it
can
detect
something
on
a
or
two
level.
B
B
Yes,
these
are
well
to
the
kissing
actually
for
them
network
apart,
our
network
is
defined
as
a
CID.
We
are
wondering
if
this
can
be
a
standalone
effort,
just
as
they
described
some
people
probably
want
to
use
multi
network,
but
the
time
the
necessarily
use
the
for
multi-tenancy
model.
We
are
working
on
this
hardly.
I
L
B
H
C
One
sort
of
high-level
question
which
is
to
compare
this
with
virtual
clusters,
and
it
seems
to
me
and
tell
me
if
I've,
missed
something.
The
biggest
difference
between
this
approach
in
the
virtual
cluster
approach
in
terms
of
features
is
that
this
approach
maintains
some
kind
of
concept
of
sharing
between
the
different
clusters.
You
can
have
a
super
admin
who
can,
by
making
calls
to
the
same
endpoint
can
see
stuff
from
the
different
spaces,
whereas
with
virtual
clusters
there's
essentially
no
sharing
at
all
like
there's.
C
B
Difference
is
this
is
a
cluster
across
the
talent
and
management.
The
other
big
difference
is
I,
think
the
probably
more
related
to
the
resource
consumption
or
something
because
let's
say
you
have
a
larger
class,
you
have
solvents
or
talents,
and
you
know
we're
just
sharing
wrong
kind
of
one
copy.
Ups
of
the
way,
all
right,
we
do
not
know
how
to
solve
all
kind
of
separate
the
small
control
plane
between
talent,
I'm,
not
I'm,
not
saying
that
that's
bad
I
mean
the
pros
and
cons
are
for
both
approaches.
Yeah
24
different
situations.
K
B
C
And
that's
I
understand
the
difference
in
implementation.
I
guess
what
I
was
wondering
is
what
are
the
features
that
fall
out
of
that
implementation
decision
and
I?
Think
that
the
the
answer
is
that
in
virtual
clusters
there
is
no
concept
of
sharing,
because
each
each
API
server
is
kind
of
a
world
unto
itself.
Where
is
in
your
model
because
they
guess
are
assured,
you've
been
able
to
add
these
features
to
allow
the
system
namespace.
Yes,
yes,.
G
G
G
It's
kind
of
we
before
we
do
press,
publish
your
Sara
murder,
we
do
it
in
different
ways.
We
we
create
a
virtual
object
inside
the
pen
and
soul.
We
have
a
one
level
of
abstraction.
Oh
yes,
yeah
I'm,
there
I.
Would
this
kind
of
Laura
and
counts
the
part?
So
would
you
trust
the
consume
more
resource?
The
benefit
is,
is
dedicate
dedicated
control
plan
and
you
probably
have
smaller.
You
know
the
Duster
you
know
can
kind
of
radius
of
the
the
failure.
G
Radius
is
smaller
because
one
can
and
see
if
they
do
something
is
get
on.
This
only
gets
over
not
a
whole
thing
country.
Where
you,
your
model,
definitely
is
more
efficient
in
terms
of
resources,
but
the
costly
is
you
have
the
shame
in
a
tester
where
you
have
you
probably
reintroduced
compatibility
issues
and
you
probably
have
to
make
sure
other
plugins
have
to
make
some
certain
changes.
That
is
efforts
that
that
integration
efforts
that
I
would
say,
may
you
know,
have
a
may
introduce
the
issues
when
people
want.
G
G
B
C
A
workgroup
and,
and
so
I
think
this
is
the
good
the
right
place
to
start
this
discussion,
because
the
machinery
sig
would
want
to
come
to
us
and
say
well,
hey
what
do
you?
What
do
you
think
does
this
because
of
course,
machinery
is
one
part
of
this
change,
but
there's
a
lot
more
to
it.
There's
also
networking.
A
C
I
This
is
really
good
because
in
theory
this
is
in
fact
true
multi-tenancy.
It
appears
very
in
the
shared
control
plane,
but
practically
there
are
some
ok.
Scalability
could
be
another
concern
because
you're,
presumably
having
one
at
CD
with
one
control
plane
and
it
sort
of
has
to
capture
the
state
of
all
tenants
right,
yeah.
B
It
was
actually
well
I
listed
earlier,
second
abilities,
a
lot
of
bigger
and
feature
we
are
working
on.
We
introduced
a
multi-point,
DTD
constants
and
we
partition
a
cache
servers
and
then
we
make
a
controllers
active
actual
mode.
So
this
that's
another
part,
but
if,
if
we
got
an
industry,
I
can
talk
about
them
in
others.
You
have.
M
B
B
So
initially,
then
they
look
the
same.
They
are
using
their
under
two
different
talents.
Now,
let's
say
if
I
create
I.
First
first
demos
demonstrates
that
I
create
some
resources
in
with
one
Talent.
Firstly,
you
can
see
it's
all
transparent
to
the
tenant
users.
It's
like
telling
the
human
cannot
feel
the
difference.
It's
just
a
user
user,
same
command,
Anais
and
Caesar,
17
and
I
say
if
I
I
create
a
space,
a.
K
B
B
B
B
B
B
B
I
B
B
Everything
MC
rule
rule
binding
cluster,
drew
a
class
of
ID
and
the
second
in
our
a
Beck
authorizer.
We
only
interpret
this
object
through
the
current
space,
so
so
customers
still
use
the
same
object
like
a
clustered
rule
across
the
row
binding,
but
the
other
one
we're
only
taking
effect
on
the
current
space,
and
this
is
all
transparent
to
the
to
the
total
ends.
B
Okay,
so
10
is
now
tenant.
Other
means
I
can
do
the
self
management,
then
that
only
they
can
manage
their
tenant
space.
They
don't
need
to
worry
what
about
an
epochal
to
the
class.
That
means-
and
the
last
part
is
I-
can
create
a
I
quickly
put
on
some
CID
definition
from
the
kubernetes
community.
Certain
documents.
B
B
F
B
F
B
Yes,
we
know
they
are
not
sour
kind
of
mana
tendencies,
a
complicated
area
and
they're.
Not
so
details
under
you
because
of
it
take
is
a
native
approach
to
make
combination
multi-tenancy.
So
it's
a
very
challenge
it
for
probably
more
upstream
this.
So
today
it's
just
about
what
you
need
effort
to
establish
regime
with
you
guys
what?
If
we
want
to
have
more
discussion
in
the
meetings
and.