Comments (6)
@FabianKramm Thanks for the very thorough explanation. I like the CRD approach because they can be scoped to a namespace which I assume allows Kiosk to give tenants visibility to the resources, e.g. accounts and tenants, they "own". It really wasn't clear from reading the KEP for the hierarchical namespace controller which resources would be synchronized with child namespaces. I think it mentioned RBAC and network policies but then the tenant KEP seemed to imply that you could define other objects. We should probably continue this discussion in another issue/thread since it no longer pertains to "field is immutable" issue I was having. Thanks again for the response!
from kiosk.
@jicowan Thanks for opening this issue. Seems like a bug. To narrow it down: Can you try kubectl create
instead of kubectl apply
? Does that work?
from kiosk.
create
works.
from kiosk.
@jicowan thanks for reporting, yes this was initially implemented to prevent users from overwriting annotations and labels defined in the space template in their account. kubectl create
works because it is not setting any annotations, while kubectl apply
does (for the three way merge later on). However, I changed this behavior so now that when annotations and labels are defined in the space template they will overwrite the ones provided by the user otherwise it is allowed to set annotations and labels and they will just go through.
from kiosk.
@FabianKramm there is a similar effort underway in sig-multitenant with the tenant CRD and hierarchical namespace controller. Are you working with the community on this effort?
from kiosk.
@jicowan yes we are very aware of the tenant CRD and hierarchical namespace controller. While I think parts of the scope and goals of these projects are aligned with what kiosk is trying to accomplish, there are also quite some differences.
The basic primitive in the approach of the multi tenancy group is a tenant crd object and the corresponding tenant admin namespace that comprises all related resources to that tenant, such as allowed namespaces (tenant namespace crd), roles etc. The hierarchical namespace controller allows to define sync hierarchies between namespaces and basically allows some sort of templating for new and existing namespaces. When we first thought about kiosk and what it should accomplish we initially wanted to build upon these efforts from the multi-tenancy group, however we had some concerns with the approach the multi tenancy took:
- There were several problems from an users endpoint we wanted to improve on: for example, retrieving allowed namespaces an user has access to is not trivial with the approach the multi-tenancy group took, since the user at least needs to know its tenant admin namespace. In kiosk, you can easily run
kubectl get spaces
orkubectl get accounts
as any user and see only the resources you have access to. This approach is more like how openshift is doing things with projects, which we believe is the superior approach instead of creating access resources (tenant namespaces) in each tenant admin namespace which takes additional space in the etcd. - There is an overhead in unused resources that are just there for templating and defining hierarchies but are actually functional in kubernetes and controllers will act on them: each tenant has one admin namespace and potentially additional resources (like resource quotas, network policies etc.) that will be synced to tenant namespaces. These resources are all functional itself and could slow down kubernetes controllers since caches get bigger and those resources also need to be reconciled. We feel this overhead is not needed and template resources should be separated from "real" resources.
- Since the kubernetes sigs are a place to develop future standards for certain areas, we felt the pace these projects were moving for now was not fast enough for us. There are several efforts in the multi tenancy sig on the way, however we still feel that they are not mature enough to be built on. We are very aware that might change in future and we are very open to replace parts of kiosk with efforts from the multi tenancy group if they reach a more mature level and are widely accepted. We are also very open to help them in certain areas.
These concerns lead to the decision to build kiosk not on top of the efforts of the multi tenancy group for now. Nonetheless, these initial problems we had with their approach does not mean their efforts and our efforts are mutually exclusive and we might reconsider in the future. Besides the technical foundation, I think kiosk has a wider scope than what the multi tenancy group currently wants to build: e.g. multi cluster management. So I think kiosk is definitely not designed as a competitor to what the multi tenancy group is doing, it is rather designed as a project that provides a single coherent (though opinionated) solution to the topic that might be build on some of the building blocks the multi tenancy group provides in the future.
from kiosk.
Related Issues (20)
- Option to choose namespace destination for helm chart HOT 10
- Is redundant code?
- Account: Allow to apply custom label/annotation on namespace HOT 2
- kubens support HOT 5
- Access problem need help HOT 2
- Kiosk server port is not configurable HOT 1
- Delete Account doesn't delete the underline spaces HOT 2
- unable to retrieve the complete list of server APIs: tenancy.kiosk.sh/v1alpha1 HOT 2
- Kiosk restarted several times HOT 3
- Spaces can not properly be created by ArgoCD, resources show as OutOfSync HOT 6
- Hey is it possible/ how to use kiosk with saml2-based ADFS ? HOT 1
- Account spaceTemplate is not reconciled HOT 3
- Unsupport kubernetes server-side apply HOT 1
- Changing label in namespace doesn't update rolebinding
- Question: How to setup in existing cluster - Namespace migration HOT 3
- accountquotas resources cannot be edited after upgrade k8s to 1.22 HOT 2
- Unable to create template instance with parameters HOT 1
- Can map exists namespace in k8s cluster to new space? HOT 1
- can kiosk deploy's Replicas more than one? HOT 4
- Debug Mode to see failed rendered chart? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kiosk.