| ICN Requirement | Tenant Controller |
|---|
Multi-cluster tenant controller - Tenant created at Multi scheduler site (ONAP4K8S)
| Cluster level tenant controller |
Identifying K8S clusters for this tenant based on cluster labels - Send the Tenant details to the K8s cluster
| Tenant is created with CR at cluster level [Implemented] |
At K8s cluster level - Creating namespace
- Creating K8S users (Tokens, Certificates and User/Pwds)
- Creating K8S roles
- Creating permissions to various roles.
| - Tenant controller at K8s cluster level [Implemented]
- A tenant can have multiple namespaces
- Tenant-a
- ns1
- ns2
- It creates Tenant-a-ns1 and Tenant-a-ns
- Cluster-admin: This persona has full read/write privileges for all resources in the cluster including resources owned by various Tenants of the cluster [Not implemented].
- Cluster-view: This persona has read privileges for all resources in the cluster including reasources owned by various Tenants [Not implemented].
- Tenant-admin: This persona has privileges to create a new tenant, read/write resources scoped to that Tenant and update or delete that Tenant. This persona does not have any privileges for accessing resources that are either cluster-scoped or scoped to namespaces that are not associated with the Tenant object for which this persona has Tenant-admin privileges.[Implemented]
- Tenant-user: This persona has read/write privileges for all resources scoped within a specific Tenant (that is resources that are scoped within namespaces that are owned by a specific Tenant) [Not implemented].
|
Certificate Provisioning with Tenant - Suggestion to use Isito using citadel
| Suggestion to bind the tenant with kubernetes context to see namespaces associated with it[Not implemented]. |
- Quota at the application level.
- Tenant group support: Quota at the tenant group level (Multiple namespaces), ISTIO at the tenant group level.
| - Resource quota based on the tenant with multiple namespace[Not implemented].
|