Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📖 Namespace separation proposal #11691

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

marek-veber
Copy link

What type of PR is this?:

/kind documentation

What this PR does / why we need it:

This PR serves as a starting point for the discussion about running multiple instances and defining which installation will watch which namespace.

See issues:

@k8s-ci-robot k8s-ci-robot added kind/documentation Categorizes issue or PR as related to documentation. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-area PR is missing an area label labels Jan 15, 2025
@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 15, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link
Contributor

Hi @marek-veber. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Copy link
Contributor

@elmiko elmiko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @marek-veber , the design makes sense to me, i have some questions about various details.

a provisioning cluster which is provisioned cluster at the same time

also, i'm finding this phrase to be slightly confusing, is there a clearer way to state it?


## Motivation
Our motivation is to have a provisioning cluster which is provisioned cluster at the same time while using hierarchical structure of clusters.
Two namespaces are used by management cluster and the rest of namespaces are watched by CAPI manager to manage other managed clusters.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think these sentences could be a little clearer, i'm not fully understanding the motivation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1
TBH this seems more a description of a solution (use a ns as a tenancy boundary), with some assumption how organizations should use this feature (two namespaces, why two?)

Let's please expand on the problem we are trying to solve in this paragraph, so we can then properly understand the solution down below

* https://github.com/kubernetes-sigs/cluster-api/issues/11193

### Goals
We need to extend the existing feature to limit watching on specified namespace.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to be clear this is extending the existing feature for supporting multiple instances of cluster-api?

Copy link
Contributor

@nrb nrb Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's extending the existing --namespace option to allow more than 1 namespace to be watched, like L95 of this document.

We need to extend the existing feature to limit watching on specified namespace.
We need to run multiple CAPI controller instances:
- each watching only specified namespaces: `capi1-system`, …, `capi$(N-1)-system`
- and the last resort instance to watch the rest of namespaces excluding the namespaces already watched by previously mentioned instances
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there prior art on cluster-api controllers watching multiple namespaces? (just curious)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/kubernetes-sigs/cluster-api/blob/main/main.go#L170-L171 shows that we can take in a single namespace, which eventually gets specified as a controller-runtime cache.Option.DefaultNamespaces option (https://github.com/kubernetes-sigs/cluster-api/blob/main/main.go#L346).

The documentation for that field (https://github.com/kubernetes-sigs/controller-runtime/blob/main/pkg/cache/cache.go#L182-L193) implies to me that multiple namespaces are supported, but I'm not familiar with the implementation, and I know that somewhat recently @sbueringer and @fabriziopandini put a lot of effort into making sure caching was optimized.

As I understand things right now, CAPI's controllers will watch either 1 namespace or all namespaces. Watching a number of namespaces between those two extremes is either not supported or well understood right now, based on my interpretation of what was said in the community meeting.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Watching a number of namespaces between those two extremes is either not supported or well understood right now, based on my interpretation of what was said in the community meeting.

ack, thanks @nrb, this is what i was wondering.

```

### User Stories
We need to deploy two CAPI instances in the same cluster and divide the list of namespaces to assign some well known namespaces to be watched from the first instance and rest of them to assign to the second instace.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this user story helps me to understand the motivation a little better, it might be nice to have some of this language in that section too.

### User Stories
We need to deploy two CAPI instances in the same cluster and divide the list of namespaces to assign some well known namespaces to be watched from the first instance and rest of them to assign to the second instace.

#### Story 1 - RedHat Hierarchical deployment using CAPI
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't think this is specific to Red Hat, it seems anyone who is doing this type of heirarchical deployment could gain benefit from this enhancement.

i do think it's nice to include the links to the Red Hat jiras.

A service account will be created for each namespace with CAPI instance.
In the simple deployment example we are considering that all CAPI-instances will share the one cluster role `capi-aggregated-manager-role` so all CAPI's service accounts will be bound using then cluster role binding `capi-manager-rolebinding`.
We can also use multiple cluster roles and grant the access more granular only to the namespaces watched by the instance.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will all the controllers use the same cloud credentials or will each namespace have its own cloud credentials?

@enxebre
Copy link
Member

enxebre commented Jan 16, 2025

I think overall the motivation behind this proposal should be something like "Enable adoption in advance multi tenant scenarios".

Use case:
As a Service Provider/Consumer I own a management cluster that allocates and manages the lifecycle of Kubernetes clusters powered by CAPI using at least 2 different paradigms.
Paradigm 1:
Each cluster of type 1 runs each own suite of capi controllers targeting a particular namespace as a hidden implementation engine. Don't use webhooks. Motivations:

  • Granular versioning lifecycling
  • Granular Logging and forwarding mechanism
  • Granular metrics
  • Granular resource consumption budget
  • Security requirements
    -- Per cluster Network policies isolation
    -- Per cluster Cloud provider creds isolation
    -- Per cluster Kubeconfig access isolation

Paradigm 2:
Each cluster of type 2 is managed by a common centralized suite of CAPI controllers with different requirements/constraints to the listed above.

For both paradigms to coexist, paradigm 2 wants a way to restrict its scope and not be aware of CAPI resources owned by paradigm1.

cc @fabriziopandini @sbueringer @serngawy I'm catching up with yesterday community call so wanted to share my thoughts on the topic. I agree with the concerns raised on the call. Thinks that I think could be explored:

Use watchFilterValue
Use RBAC
Add some flexibility to let the manager cache to filter out

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

## Summary
We need to run multiple CAPI instances in one cluster and divide the namespaces to be watched by given instances.
Copy link
Contributor

@serngawy serngawy Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets add the ability to run a single CAPI instance that can watch group of namespaces OR exclude group of namespaces from been watched.

* https://github.com/kubernetes-sigs/cluster-api/pull/11370 add the new commandline option `--excluded-namespace=<ns1, …>`

## Motivation
Our motivation is to have a provisioning cluster which is provisioned cluster at the same time while using hierarchical structure of clusters.
Copy link
Contributor

@serngawy serngawy Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Motivation:

For multi-tenant environment a cluster is used as provision-er using different CAPI providers.
Using CAPI requires careful consideration of namespace isolation to maintain security and operational boundaries between tenants. In such setups, it is essential to configure the CAPI controller instances to either watch or exclude specific groups of namespaces based on the isolation requirements. This can be achieved by setting up namespace-scoped controllers or applying filters, such as label selectors, to define the namespaces each instance should monitor. By doing so, administrators can ensure that the activities of one tenant do not interfere with others, while also reducing the resource overhead by limiting the scope of CAPI operations. This approach enhances scalability, security, and manageability, making it well-suited for environments with strict multi-tenancy requirements.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

used

- and the last resort instance to watch the rest of namespaces excluding the namespaces already watched by previously mentioned instances

This change is only a small and strait forward update of the existing feature to limit watching on specified namespace by commandline `--namespace <ns>`

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets clarify the goal is to let the CAPI instance able to watch/exclude group of namespaces which will enhances the scalability, security, and manageability in multi tenant environment

@nrb
Copy link
Contributor

nrb commented Jan 16, 2025

/area provider/core

@k8s-ci-robot k8s-ci-robot added area/provider/core Issues or PRs related to the core provider and removed do-not-merge/needs-area PR is missing an area label labels Jan 16, 2025
@nrb
Copy link
Contributor

nrb commented Jan 16, 2025

I like @enxebre's explanation of paradigms.

As I've understood the goals, another way of stating 2 paradigms could be a CAPI install for self-managing the cluster (paradigm 1) and a CAPI install managing everything else that users may create (paradigm 2).

In this scenario, the self-managing CAPI install wants to watch exactly 1 namespace (let's call it ns/internal-capi), and I think that's covered with the --namespace option today.

The CAPI installation for everything else, then, would like to watch all namespaces except ns/internal-capi. I don't think this option is supported today, and would be served by implementing #11193 in some fashion.

Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left a first round of comments of summary and motivations.

I might be wrong, but my impression is that the core problem we are trying to solve here is multi tenancy in core CAPI, while sharding, either by namespaces or by other criteria, is one of the solution to solve this problem (e.g for multi-tenacy in infrastructure providers we chosed a different approach, Single Controller Multitenancy, unfortunately this was never properly documented in CAPI, rif #4514).

If, I'm correct in assuming that multi-tenancy is the problem this proposal is solving, then my best suggestion is to clearly define what model of multi-tenancy this document is proposing, because I think that the current definition we have in the glossary doesn't match what we are discussing here.

@enxebre comment is definitely a step in the right direction to clarify why we are doing this work (thank you!); I have a few questions on paradigm 1, but probably the definition above will help me also to answers to those questions.

edited 20th of January

Another option - might be less confusing - is use "sharding" as a key term for this proposal / for considerations about assigning subset of CAPI clusters to different instances of CAPI controllers running on the same cluster (and keep the current definition of multi-tenancy in CAPI)

* https://github.com/kubernetes-sigs/cluster-api/pull/11370 add the new commandline option `--excluded-namespace=<ns1, …>`

## Motivation
Our motivation is to have a provisioning cluster which is provisioned cluster at the same time while using hierarchical structure of clusters.
Copy link
Member

@fabriziopandini fabriziopandini Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be we need a glossary section if we are introducing new terms like provisioning cluster, provisioned cluster, hierarchical structure of clusters.

Our motivation is to have a provisioning cluster which is provisioned cluster at the same time while using hierarchical structure of clusters.
Two namespaces are used by management cluster and the rest of namespaces are watched by CAPI manager to manage other managed clusters.

Our enhancement is also widely required many times from the CAPI community:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those are two issues from the same person, we can quote them as a reference, but I struggle a little bit to find them representative of other's member needs (one issue is stale, the other has just few comments)

FYI I'm aware of other persons occasionally asking about this, but ultimately no one stepped up to tackle this point before now.

Also, please note that our controllers today have a --watch-filter flag, as well there are issues like #7775, which are the expression of different need/requirement about how sharding of CAPI clusters should work.

Ideally this work should address both requirements, or at least it should be documented how this proposal does not prevent making progress on the other approach if and when someone will step up to work on it.


## Motivation
Our motivation is to have a provisioning cluster which is provisioned cluster at the same time while using hierarchical structure of clusters.
Two namespaces are used by management cluster and the rest of namespaces are watched by CAPI manager to manage other managed clusters.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1
TBH this seems more a description of a solution (use a ns as a tenancy boundary), with some assumption how organizations should use this feature (two namespaces, why two?)

Let's please expand on the problem we are trying to solve in this paragraph, so we can then properly understand the solution down below

Comment on lines 54 to 72
We want and consider:
- each CAPI instance:
- is running in separate namespace and is using its own service account
- can select by command the line arguments the list of namespaces:
- to watch - e.g.: `--namespace <ns1> --namespace <ns2>`
- to exclude from watching - e.g.: `--excluded-namespace <ns1> --excluded-namespace <ns2>`
- we are not supporting multiple versions of CAPI
- all running CAPI-instances:
- are using the same container image (same version of CAPI)
- are sharing global resources:
- CRDs:
- cluster.x-k8s.io:
- addons.cluster.x-k8s.io: clusterresourcesetbindings, clusterresourcesets
- cluster.x-k8s.io: clusterclasses, clusters, machinedeployments, machinehealthchecks, machinepools, machinesets, machines
- ipam.cluster.x-k8s.io: ipaddressclaims, ipaddresses
- runtime.cluster.x-k8s.io: extensionconfigs
- NOTE: the web-hooks are pointing from the CRDs into the first instance only
- the `ClusterRole/capi-aggregated-manager-role`
- the `ClusterRoleBinding/capi-manager-rolebinding` to bind all service accounts for CAPI instances (e.g. `capi1-system:capi-manager`, ..., `capiN-system:capi-manager`) to the `ClusterRole`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be it is me, but I struggle a little bit in understanding if this list is about a problem statement, or if it is about details of a solution or some constraint we have/were introduced by this proposal.

Frankly speaking, I would suggest to keep in the summary only a short sentence about the solution, and move those details down in the proposal, where possibly we will have some more context to explain why some decisions.

superseded-by:
---

# Support running multiple instances of the same provider, each one watching different namespaces
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if possible, let's keep the title of the PR in sync with the title of the proposal ("namespace separation" is a little bit confusing awhen read without context).

Also wondering if the title should have something about multi-tenancy or sharding, but I'm not entirely sure at this stage

- can select by command the line arguments the list of namespaces:
- to watch - e.g.: `--namespace <ns1> --namespace <ns2>`
- to exclude from watching - e.g.: `--excluded-namespace <ns1> --excluded-namespace <ns2>`
- we are not supporting multiple versions of CAPI
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There will at times inevitably be some drift between versions, how much skew can there be at runtime before this causes an issue? Is patch level skew ok?

- to exclude from watching - e.g.: `--excluded-namespace <ns1> --excluded-namespace <ns2>`
- we are not supporting multiple versions of CAPI
- all running CAPI-instances:
- are using the same container image (same version of CAPI)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This and line 60 say the same thing

- cluster.x-k8s.io: clusterclasses, clusters, machinedeployments, machinehealthchecks, machinepools, machinesets, machines
- ipam.cluster.x-k8s.io: ipaddressclaims, ipaddresses
- runtime.cluster.x-k8s.io: extensionconfigs
- NOTE: the web-hooks are pointing from the CRDs into the first instance only
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does one define first here? Do we mean the first installed? What if an admin wanted it not to be in some random namespace because that happened to be the first deployed? Would it not be better to recommend having an instance of the CAPI controllers running separately just to serve webhooks?

Can CAPI controllers run as just webhooks? Could we disable all controllers within a binary to achieve something like this?

* the code change is only extending an existing hash with one item to multiple items
* the maintenance complexity shouldn't be extended here
* add the new commandline option `--excluded-namespace=<ens1, …>` to define list of excluded namespaces
* the code change is only setting an option `Cache.Options.DefaultFieldSelector` to disable matching with any of specified namespace's names
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For those who aren't familiar with this option, it may be good to explain what this is and how it works. IIUC this means there's a API server side filter that means we don't return any results from the specified namespace here right?

Edit: I see this further down in the doc, a link might be handy

....
}
```
and then the namespaces contained in `watchNamespacesList` will be excluded from watching by the instance.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the rbac implication of this field selector, do I not need RBAC on that namespace?

@marek-veber marek-veber force-pushed the namespace-separation-proposal branch from a153b24 to 4aa1b44 Compare January 20, 2025 15:10
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/provider/core Issues or PRs related to the core provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/documentation Categorizes issue or PR as related to documentation. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants