►
From YouTube: 20200825 Kubernetes Working Group for Multi-Tenancy
Description
Presentation on the Multitenancy Operator by Capsule
A
A
So
I
asked
adriana
to
come
and
join
us
today,
because
he
is
the
author
or
one
of
the
authors
of
capsule,
which
is
a
multi-tenancy
operator,
and
I've
noticed
that
there's
there
we're
starting
to
see
a
couple
of
these
pop
up
like
that,
so
there's
capsule,
there's
kiosk,
which
I
don't
know
very
well.
I
only
found
about
that
one
about
a
month
ago.
A
What's
the
same
like
what's
common
between
these
systems,
what's
different,
can
they
work
together?
Should
they
work
together,
like
there's,
no
need
to
consolidate
things
if
they're
truly
solving
different
use
cases,
but
but
yeah?
I
wanted
to
hear
about
what
was
going
on
with
capsule,
and
maybe
we
could
have
a
discussion
afterwards
about
how
these
pieces
should
fit
together,
even
though
we
haven't
heard
from
the
kiosk
team
yet
so
sorry
adriana.
Is
that
the
right
way
to
pronounce
your
name.
C
Yeah
so,
okay,
first
of
all,
thank
you
very
much
for
inviting
me
to
this
to
this
group.
That's
my
first
time
and
let
me
just
introduce
capsule
and
myself,
so
we
developed
a
capsule
when
we
developed
the
capsule.
We
were
not
aware
about
this
working
group.
Really
we
discovered
this
later
after
we
released
the
the
first
prototype.
C
So
what's
the
story
of
a
capsule
capsule
was
designed
because
a
requirement
because
the
requirements
coming
from
our
customer,
we
are
a
small
consultancy,
firm
basic
in
italy
and
we
provide
consultancy,
support
and
on
kubernetes
and
cognitive
technologies.
So
we
have.
We
have
a
customer
that
is
trying
to
build
a
public
container
as
a
service
platform
using
bernates,
and
so
we
soon
discovered
that
straight
kubernetes
was
not
enough
to
support
multi-tenancy,
and
so
that's
why
we
developed
a
capsule.
C
Capsule
is
a
seal
in
early
early
days.
We
did
not
yet
release
the
zero
zero
one
and
we
are
still
on
zero,
zero,
zero
and
so,
but
we
are
receiving
very
good
feedbacks
from
customers,
of
course,
and
also
from
the
community.
So
then
we
discovered
this
working
group.
The
multi-tenancy
working
group
then,
and
the
a
hnc,
h
and
c
yeah
that
that's
the
the.
C
I
don't
know
if
this
is
a
a
feasible
thing,
but
we
hope
we
hope
to
how
to
say
to
to
adopt
your
project
as
a
foundation
for
our
for
our
capsule.
So
please
consider
that
capsule,
the
open
source
project
is
just
the
the
building
block
for
an
enterprise
platform
that
we
are
designing,
and
so
a
possible
approach
is
to
adopt
your
code
base
into
this
platform.
D
C
A
C
C
C
C
C
C
C
A
Let
me
just
want
to
check
it
stay
on
the
line.
Are
you
there
yeah?
Do
you
see
my
screen
yeah?
We
see
your
screen
fake
wow.
Are
you?
Are
you
online
yeah?
Okay,
great
is
any.
Is
anybody
else
who
works
on
the
tenant
operator
online
as
well
or
can
you
represent
any
discussion
about
the
the
tenant
operator.
C
C
So
that's
the
the
approach
namespace
aggregation.
We
want
to
aggregate
namespace
in
a
tenant
abstraction,
so
that's
the
basically
what
we
okay,
we
we
present
this
in
this
way.
So
namespace
is
a
flat
structure.
Any
namespace,
it's
an
isolated
environment
with
constraints
and
these
constraints
cannot
be
grouped,
cannot
be
shared
between
different
namespaces.
C
C
The
resource
quota
you
mean
the
resource
quota
yeah.
We
we
avoided.
You
know,
probably
you
know
that
in
open
shift.
For
example,
you
have
the
project,
a
resource
quota
that
is
a
crd,
a
castle
resource
that
is
used
to
share
resources
between
different
namespaces
different
projects
in
openshift.
They
are
called
projects.
C
C
C
A
C
C
C
Yeah,
exactly
exactly
exactly
so
all
the
persistent
volumes
created
in
the
namespace
entertainment
in
the
namespaces
that
belong
to
the
tenant
will
receive
the
the
the
annotation
telling
you
the
the
storage
class
to
use
and
the.
In
addition
to
the
controller,
there
are
a
set
of
admission
control
admission
web
book,
validating
a
web
book
that
enforce
the
usage
of
the
specific
storage
class.
For
for
this,
so
let
me
let
me
show,
for
example,
you
see
you
assign
these
this
one
to
the
tenant
to
the
oil
tenant.
Okay.
C
C
G
C
Ingress
selector
storage
class,
for
example,
you
see
you
assign
this
storage
classes
to
the
tenant.
Then
all
the
pvc
created
in
these
namespaces
will
receive
this
storage
class,
and
so
the
end
user
is
not
allowed
to
change
this,
because
this
is.
This
is
a
requirement
that
comes
from
the
cluster
admin.
So
the
cluster
admin
set,
the
storage
class,
the
alloyed
storage
classes
into
the
tenant,
and
so
the
regular
user
receive
automatically
this
search
class
and
cannot
change.
F
C
C
So
if
you
have
different
storage
classes,
so
you
can-
and
you
force
the
end
user
to
use
yes
only
as
designed
storage
classes
automatically,
you
have
the
isolation.
For
example,
you
can
assign
a
storage
class
to
a
tenant,
and
this
is,
for
example,
a
sf.
You
are
using
a
sef
storage
class,
and
so
this
storage
class,
for
example,
can
point
to
a
storage
pool
in
yourself
environment,
and
so
you
have
a
storage
pool
assigned
to
the
to
the
single
tenant.
F
F
A
C
User,
the
the
the
end
user
here
allies,
the
end,
our
end
user
is
not
able
to
get
pv
to
get
storage
classes
to
get
nodes
because
it's
it's
you
see.
Let
me
show
you:
when
the
allies
login
to
the
to
the
to
the
to
the
platform
allies
can
check.
Can
I
get
namespace?
No.
Can
I
get
nodes?
No
can
can
I
get
persistent
volume,
no
and
so
on.
F
C
C
C
C
D
C
D
C
C
Yeah
cluster
rule,
okay
and
the
class
rule
binding
okay,
it's
a
namespace,
provisional.
This
row,
this
class
rule
is
assigned
to
the
group
of
the
user,
so
the
only
requirements,
but
we
we
are
changing
this.
We
are
changing
this
behavior.
The
only
requirement
for
to
have
a
capsule
work
to
have
a
working
cap,
a
working
setup
with
cars
with
capsule,
is
to
have
the
user
belonging
to
this
group.
Okay.
C
So
that's
the
only
requirement,
so
we
assign
to
this
group
this
cluster
role,
this
cluster
rule.
So
all
users
all
end
users
are
able
to
create
namespaces,
but
but
the
user
can
delete
namespaces
because
we
assigned
the
permission
to
delete
namespaces,
but
not
at
the
cluster
level,
but
only
at
namespace
level.
So
when
the
user,
when
alice,
creates
a
new
namespace,
she
gets
this
role
binding
namespace
later.
But
this
this
is
assigned
only
to
the
namespace
to
only
to
the
namespace
that
she
created.
C
C
C
C
D
C
This
by
implementing,
so
I
told
you
before
that
capsule
will
be
the
building
block
for
a
a
more
wide
platform,
so
this
platform
will
implement
an
api
that
that
it's
a
open
shift
style
api.
That
will
give
you
the
the
option
to
list
only
your
namespaces,
but
this
will
be
just
a
customization,
is
not
the
the
regular
kubernetes
is
not
allowing
you.
This.
C
So
that's
it
so
the
the
idea.
Anyway.
The
idea
is
to
try
to
to
to
find
something
in
common
with
your
project
and
try
to
try
to
use
part
part
or
all
of
your
project
to
build
something
more
complex.
I
don't
know
it's.
We
are
just
studying
your
your
code
base
just
to
understand,
and
so,
but
we
have,
because
we
are
in
the
early
days.
B
C
A
G
Yeah,
so
we
we,
we
have
implemented
a
similar
version
of
the
tenant
crd.
The
idea
is
so
you
use
every
api
server,
but
we
do
we
use
crd
to
encapsulate
the
namespace
to
work
on
the
program
that
you
list
about
and
how
to
view
their
own
namespace.
Only
so
we
use
a
kind
of
crd
called
tenant
namespace,
which
has
a
kind
of
representative
proxy
for
the
actual
name
space.
G
The
lieutenant
owen
can
manage
the
tenant
name.
Space
object,
so
we
set
right
object,
rules
for
tenant,
namespace
object.
Then
I
mean
this
has
some
you
know
learning
curve.
People
should
understand.
Okay,
one
tenant
name
space
is
corresponding
to
one
real
name
space.
So
that
is
the
way
that
we
we
does-
and
I
I
checked,
but
you
you
does
actually
does
more
than
that.
So
we
currently
only
do
that.
G
So
resolving
the
you
know,
namespace
management
like
create
delete
list,
and
that's
all
about
it,
so
each
tenant
can
only
look
at
its
own,
but
this
is
the
talent
crd.
I
mean
that
that
that
we
have
in
in
upstream
I
mean
in
a
working
group
right
now,
but
yeah,
but
we
do
have
some
other
ways
of
you
know:
grouping
namespace,
you
probably
already
know
we
have.
You
know
I
chance
or
name
space
to
have
another
way
of
grouping
them
space
yeah.
We
do.
G
We
have
a
virtual
cluster,
which
is
a
pretty
different
way
of
another,
very
different
way
to
grouping
them
space
yeah
that
that
that's
what
all
I
can
see,
but
I
think
you
guys
so
you
got
definitely
does
more
than
the
currently
what
we
do
here.
We
already
look
at
the
name,
space
list
power
and
this
power.
G
A
A
So
I
I
do
see
some
people
starting
to
use
it
and
just
to
be
clear,
like
with
h
c,
we've
been
working
on
it
for
close
to
a
year
now,
but
we
only
recently
like
really
tried
to
sort
of
push
out
getting
people
to
like
asking
people
to
use
it,
because
it
wasn't
ready
for
a
long
time.
We
didn't
want
people
to
be
using
it
until
we
reached
a
certain
level
of
maturity.
C
D
C
It
very
interesting-
and
so
I
liked
the
slide
when,
where
you
showed
the
cluster
sprawl,
probably
yeah
this
one-
I
like
it,
I
like
it
this
yeah
yeah.
Exactly
this,
you
see,
I
we
see,
we
see
a
lot
of
a
solution
for
multi-cluster
management
from
any
vendor.
Any
vendor
wants
to
sell
you
cluster
management
solution
with
thousands
of
clusters,
but
we
found
this
a
bit
pain.
D
One
quick
question
before
you
go
there,
so
how
are
you
dealing
with
the
crd
problem?
Are
you
tenants
not
having
crd
collisions
or
things
like
that
for
multiple
tenants?
Let
me
try
to
ask
it
in
a
simple
way,
so
you
have
multiple
tenants
that
happen
to
be
using
similar
components.
They
want
to
deploy
they're,
bringing
but
maybe
they're
different
versions
or
or
different
expectations,
and
and
they
don't
have
the
rights
to
deliver
the
crds
to
the
cluster.
So
now
you
have.
D
D
C
D
A
A
I've
I've
looked
at
a
couple
of
ways
of
possibly
doing
it,
but
the
one
thing
that
I
could
never
figure
out
how
to
do
is
how
just
the
discovery
docs
would
work.
If
anybody
knows
what
discovery
docs
are.
I
I
wanted
to
actually
go
ask
a
couple
of
people.
What
would
happen
if
we
just
didn't
do
discovery?
What
would
break
but
yeah,
so
hnc
took
the
approach
that
we're
just
adding
features
to
namespaces.
A
We
are
not
trying
to
create
virtual
clusters,
so
virtual
clusters
will
solve
this
problem
because,
with
virtual
clusters
each
tenant
gets
their
own
api
server,
yeah,
and
so
with
you
with
your
own
api
server.
Obviously
you
get
your
own
crds
and
so
right
now
that
is
one
of
the
I
would
say
like
if
you
want
a
multi-tenant
cluster,
but
you
also
want
crds
pretending.
Crds
virtual
clusters
are
the
way
to
go.
You
don't
really
have
any
options
and
there's
either
so
yeah
fake
and
can
help
you
out
there.
A
D
Oh
yeah,
I
was
familiar
with
that.
I
was
more
interested
in
whether
capsule
had
some
creative
way
of
dealing
with
it
sounds
like
you're
telling
me.
There
are
no
creative
ways
at
the
moment
right,
essentially
and,
and
the
problem
with
something
like
virtual
clusters
is.
If
you
have
networking
an
example
that
is
a
little
more
sophisticated
than
than
a
flat
net
typical
approach,
it
kind
of
breaks
down.
A
D
A
D
I
I
built
a
solution
that
builds
bare
metal
cluster.
I
I
took
phase
10
and
operator
and
I
expanded
it
to
do
something
along
the
lines
what
capsule
is
doing,
but
but
we
always
run
into
this
crd
problem.
So
at
the
moment,
we
roll
back
we're
dealing
with
basically
building
building
clusters
on
vms,
on
behalf
of
the
vendors,
to
avoid
this
problem.
A
D
H
There's
also
just
a
call
out
a
handful
of
other
things.
I
know
we're
experimenting
with
virtual
cluster
and
it
seems
pretty
great
for
what
we're
trying
to
do,
but
there's
also
a
handful
of
other
projects
to
check
out
in
this
space.
Like
I
know,
darren
shepard
from
rancher
has
an
old
project
called
k3v,
which
is
meant
to
be
like
k3s
virtual
clusters,
but
that
changes
the
way
that
everything
is
structured,
where
it
ends
up
mutating
all
requests
and
putting
them
into
a
single
name
space.
H
H
G
G
I
would
say
that
is
a
commercial
version
of
the
virtual
cluster,
but
again
the
the
their
implementation
is
kind
of
still
different
from
what
exactly
we
do
in
the
details,
but
high
level
picture
the
same
thing:
each
talent
has
its
own
dedicated
api
server
and
they
share
one
super
master
for
the
particle
vision.
But
we
differ
in
the
details.
I
don't
want
yeah,
I
don't
think
yeah.
I
I
want
to
think
more.
C
C
E
No
absolutely-
and
this
is
why
we
sort
of
initiated
this
track,
because
I
think
what
we
sort
of
foresaw-
even
even
you
know,
as
as
before
some
of
these
newer
projects
came
about.
There
was
this
growing
interest
in
different
ways
of
doing
multi-tenancy,
but
there
was
no
quick
way
of
determining
if
a
namespace
was
configured
for
multi-tenancy
right.
So
that's
that's
what
we're
trying
to
accomplish
here-
and
I
believe
I
I
think,
maybe
we
you
know-
maybe
we
interacted
on
one
of
the
pull
requests
you
created.
E
If
I
recall
so,
we
have
the
scoop
cuddle,
mtb
plug-in
now,
which
you
can
run
on
a
namespace.
It
will
go
through
a
set
of
benchmarks
and
give
you
a
report.
We
demonstrated
that
I
think
a
few
weeks
ago
in
one
of
our
meetings,
so
the
idea
is,
we
need
to
go
back
and
define
now
what
the
right
you
know
profile
level.
One
and
two
benchmarks
would
be
for
different
levels
of
multi-tenancy
right,
one
of
the
things
that
was
important,
though,
and
I
think
you've
solved
this
a
bit.
E
You
know
with
your
project
is
allowing
self-service
and
sticking
to.
You
know
just
kubernetes
concepts
versus
introducing
new
abstractions
right,
so
that's
those
are
some
of
the
things
we're
trying
to
figure
out
and
then
also,
I
think,
for
this
working
group.
What's
interesting
is
you
know,
do
we
sort
of
accept
that
okay,
there's
gonna
be
several
ways
of
configuring
multi-tenancy
and
we
want
to
encourage
different
ways
of
doing
this,
but
maybe
there's
a
few
things.
We
want
to
standardize
on
like
with
the
benchmarks
and
perhaps
with
some
annotations
and
things
we
can
define.
E
Maybe
quota
is
not
a
good
example,
because
you
can't
edit
that
with
the
namespace
admin
role,
but
let's
say
you
create,
you
know,
network
policy
right
and
how
do
you
prevent
the
tenant
from
deleting
this?
So
I
think
what
you've
done
is
you've
written
a
custom,
mutating
or
validating
webhook
for
that,
but
if
there's
a
general
way
to
know
that
this
resource
needs
to
be
protected,
those
are
the
sort
of
things
we
might
need
to
standardize
on,
so
that
this
particular
resource
is
not
something.
E
Is
there's
actually-
and
this
is
some
work
that
we're
doing
in
the
policy
working
group
is
we're
creating
a
common
report
for
different
policy
engines,
so
the
benchmark
tool
will
also
produce
that
common
report,
which
can
then
be
consumed
programmatically
or
just
as
a
cr.
However,
you
wish
okay
so
yeah.
The
idea
would
be.
You
can
periodically
scan
your
cluster
if
a
new
namespace
is
created,
you
can
audit
it
for
multi-tenancy
and
at
least
show
compliance
right.
So,
okay,.
C
E
E
Definitely,
let's,
let's
collaborate,
and
maybe
we
can
discuss
more
on
the
slack
channel
and
you
know
it
would
be
interesting
to
run
so
if
you
have
a
cluster
set
up
or
if
you
know
we
can
try
this
out
on
one
of
our
test
clusters
and
also
run
the
benchmarks
and
we're
going
through
the
same
process
with
hnc
as
well
and
we'll
do
the
same
with
virtual
clusters
to
audit.
For
you
know:
compliance
okay,.
E
A
Yeah,
that's
the
one,
that's
the
most
similar
to
what
you've
built
in
that,
whereas
agency
is
quite
low
level
and
you
could
probably
build
not
all
of
capsule
on
it
because
we
do
have
like
for
name
space
self
service.
We
do
have
a
special
object.
It
is
the
it's
only
one
that
users
have
to
deal
with,
but
it
is
one
so
yeah
we
do
other
than
that.
A
A
You
don't
have
that
you
don't
have
any
one
object.
That
represents
the
sorry
you
don't
have.
You
have
exactly
one
object
that
represents
the
tenant,
but
there's
no
one
namespace
that
represents
the
tenant.
It
is
an
aggregation
of
namespaces,
whereas
that's
not
true
in
the
tenant
operator,
I'm
not
sure
which
I
don't
know.
If
we
we
need
both,
it
could
be
that
it
would
be
nice
to
sort
of
sit
down.
I'd
love
to
do
it
in
person,
but
that's
not
possible.
It
would
be
nice
to
have
a
look
sometime
and
see
like.
E
Okay,
well,
the
other
interesting
question.
There
is
also
what
sort
of
flexibility
do
cluster
admins
require
right.
So
I
think,
with
with
some
of
these
names,
multi-tenancy
or
namespace
based
constructs
like,
for
example,
with
ingresses
right,
allowing
shared
ingresses
versus
per
namespace
like
who
should
make
that
decision?
Is
it
like
a
cluster
admin,
or
is
it
a
a
project
that
makes
that
decision
right.
E
A
A
C
So
by
sp
I
can.
I
can
speak
from
my
experience
from
my
field
experience
this.
This
is
something
that
is
the
the
clustered
means
tend
to
to
keep
for
themselves,
yeah
that
they
don't
don't
leave
these
freedom
to
the
end
users
so
because,
because
they
so
you
know
the
ingress,
it's
more
related
to
the
to
the
networking
to
the
networking
part
yeah.
So
you
know
we
we
can.
C
We
everybody
want
to
wants
to
to
remove
silos
in
I.t,
but
silos
are
still
there
and
so
sometimes
the
network
guys
they
don't
allow
end
users
to
decide
which
which
how
to
expose
the
the
services
they
want
to
to
keep
this
under
their
control.
So
it's
more
something
that
is
from
the
cluster
admin
duty.