Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RA2 Appendix]: Describe best practices for workload isolation with Kubernetes #1878

Closed
CsatariGergely opened this issue Aug 12, 2020 · 3 comments · Fixed by #2672
Closed

[RA2 Appendix]: Describe best practices for workload isolation with Kubernetes #1878

CsatariGergely opened this issue Aug 12, 2020 · 3 comments · Fixed by #2672
Assignees
@CsatariGergely
Projects
old-RA2
Milestone
Lakelse - M2 - Sc...

Comments

@CsatariGergely
Copy link
Collaborator

In the Containers in Production track of OpenDev 2020 there was a discussion about the need to document the best practices for workload isolation in Kubernetes (see notes from line 150).

As the method of separation usually does not affect the workload's logic or deployment artefacts the documentation should be part of the appendix of RA2.

This issue is to initiate a discussion about the problem statement, use cases and solution details.
@CsatariGergely CsatariGergely self-assigned this Aug 12, 2020
@CsatariGergely CsatariGergely added this to To do in old-RA2 via automation Aug 12, 2020
@CsatariGergely
Copy link
Collaborator Author

Problem statement: As a single Kubernetes cluster does not provide hard multitenancy, that is the CNF-s running in the same cluster should not trust each other, there is a need to define best practices for separation of trust domains.

Use cases:
1 Two CNF-s which are in the same trust domain (e.g.: they are from the same vendor) are running in a container infrastructure
2 Two CNF-s which are in different trust domains (e.g.: they are from different vendors) are running in a container infrastructure

Solutions details:

  • Same/different Kubernetes clusters
  • Network connection between clusters
  • Network separation within a cluster
  • Runtimes?
  • Anything storage?
  • Image signing?

@CsatariGergely
Copy link
Collaborator Author

#1059 is a related issue.

@sb1975 sb1975 mentioned this issue Aug 14, 2020
Merged
@tomkivlin
Copy link
Collaborator

I am moving this to the backlog as it came in after the M2 milestone and is unlikely to get addressed before 14th September.

@project-bot project-bot bot moved this from To do to Backlog in old-RA2 Aug 21, 2020
@rgstori rgstori added duplicate This issue or pull request already exists Lakelse and removed duplicate This issue or pull request already exists Backlog New labels Jun 24, 2021
@rgstori rgstori added this to the Lakelse - M2 - Scope Freeze milestone Jun 24, 2021
@rgstori rgstori moved this from Backlog to To do in old-RA2 Jun 24, 2021
@rgstori rgstori mentioned this issue Oct 28, 2021
Merged
@rgstori rgstori linked a pull request Oct 28, 2021 that will close this issue
[ra2] multitenancy #2672
Merged
old-RA2 automation moved this from To do to Done Oct 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@CsatariGergely CsatariGergely

Labels
None yet
Projects
No open projects
old-RA2
  
Done
Milestone
Lakelse - M2 - Scope Freeze
Development

Successfully merging a pull request may close this issue.

[ra2] multitenancy anuket-project/anuket-specifications
3 participants
@rgstori @CsatariGergely @tomkivlin