-
Notifications
You must be signed in to change notification settings - Fork 226
[Feature] Implement user segmentation with Kubernetes namespaces #533
Comments
Has anyone started working on this ? |
We also need to consider the impact on the in-progress OFC Helm Chart |
Well in order to move things forward in parallel, why don't we just agree on variable name which configures the available namespaces and which functions will possibly need the variable. I suppose the variable should as environmental variable for multiple functions like
|
the namespaces are going to be based on the users in the CUSTOMERS file are they not? |
You are right Alistair it would be better to make the configuration in a file as opposed to environmental variable. Though I believe we should make the naming of the file custom. Also if the namespaces configuration is in a file, there will probably be no dependence between this feature and the helm bootstrapping process if I am correct? |
This is on hold until there is enough demand and/or interest in it. It's a non-trivial investment from everyone to make this happen. |
Expected Behaviour
Each user should be onboarded with their own Kubernetes namespace that corresponds to their username. A policy can be applied for quotas and additional network policies can be added for isolation.
System functions will be deployed to the
ofc-system
namespace.Current Behaviour
Users are segregated by the use of prefixes for objects and access control lists in the control-plane combined with network policies.
It's harder to apply a limit per user due to the shared
openfaas-fn
namespace.Possible Solution
namespace
parameterlist-functions
function with a namespace parameterlist-functions
will need to become namespace-awaresystem-metrics
and those which take could take a function name, may need to become namespace aware also by accepting a namespace query string parameteropenfaas-fn
, so there is a small burden of migrationcom.openfaas.cloud.namespace
to each function as an annotationstack.yml
,gitlab.yml
andaws.yml
to deploy into aofc-system
or simply asystem
namespace/function/alexellis-fn-name
to/function/fn-name.alexellis
Changes to ofc-bootstrap may also be needed.
Changes to the RBAC policy will be needed for the faasnetes controller so that it can perform CRUD in any namespace, right now it's limited to just the installation namespace i.e.
openfaas-fn
.The text was updated successfully, but these errors were encountered: