docs: add multi-tenancy support discussions

[binbin-li]

Description

What this PR does / why we need it:

It's not a final design for multi-tenancy but includes 2 options with comparison for discussion.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Investigating: #743

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

• Test A
• Test B

Checklist:

• Does the affected code have corresponding tests?
• Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
• Does this introduce breaking changes that would require an announcement or bumping the major version?
• Do all new files have appropriate license header?

Post Merge Requirements

• MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (b6db2ee) 61.43% compared to head (442493c) 61.43%.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1175   +/-   ##
=======================================
  Coverage   61.43%   61.43%           
=======================================
  Files          97       97           
  Lines        6179     6179           
=======================================
  Hits         3796     3796           
  Misses       2051     2051           
  Partials      332      332           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[akashsinghal]

Another consideration is how do we handle which ED provider is invoked in the constraint template? Will there be a new ED provider per namespace? Will there be a namespace-based naming convention for the providers that must be implemented in the Constraint template to call the correct ED provider?

Or maybe the assumption is that each namespace will have its own dedicated Constraint Template + Constraint.

[binbin-li]

For each Ratify deployment, we should have a Provider CR applied. And I checked GK code base, looks like for each admission review request, it will iterate through all providers to gather feedback. And the constraint template is clustered resource, we cannot have namespaced one.

[akashsinghal]

How does mutation work? For example, some namespace may enable and another may not enable. This would require scoping mutation Assign resources to the exact namespaces that have it enabled. Thus, requiring updates to the Assign Resources every time a new tenant is added. (maybe this is ok but definitely overhead)

[akashsinghal]

Another con: how do we provide more granular control over some configs defined at the ratify service level like cache type and size and ttl and log level? All these are currently configured at ratify startup and not as CRs.

[FeynmanZhou]

Would it be better to add this link as a reference for concept details? https://kubernetes.io/docs/concepts/security/multi-tenancy/

[FeynmanZhou]

I have many concerns on Deployment per Namespace. Users are really care about the resource usage and maintenance effort. That's being said users like light-weight solution and lower-maintenance solution.

In addition, Ratify as a an addmission controller, users may concern the single-point failure of the Ratify instance. Users will need to maintain multiple Ratify instances in different namespaces. This would be a pain point for users.

[akashsinghal]

@binbin-li I have updated the e2e tests required based on k8s bump and gk bump. Please merge main when you have a chance.

[fseldow]

how we ensure must? will we have one ratify controller to make sure each namespace has the ratify deployment? or it will be cluster admin manual operation?
If it is automatically, will it cause unexpected node memory/cpu usage spike when new namespace is created? The ratify default cpu/memory request is not small

[binbin-li]

It's a valid concern. A new namespace would require a new Ratify deployment with related resources. And it might get worse when multiple namespaces are created at the same time

[fseldow]

Do we have detailed design on the CRD behavior change? i guess most of them will have namespaced level?

[binbin-li]

this is under discussion, and I'll have a detailed design soon.

[binbin-li]

All CRs would be updated to namespaced scoped. And we probably need some refactoring on cosign verifier and certStore to avoid mounting keys.

[susanshi]

Thank you for all the info Binbin. Left some suggestion that helps to finalize the design doc.

[susanshi]

We could add priority to the areas that requires multi-tenancy support. The FileSystem is probably higher pri item and should be in listed towards the top of the doc.

[binbin-li]

My initial plan was to have another doc for implementation details once we decide the model.

[binbin-li]

here is a brief work break down: https://hackmd.io/@H7a8_rG4SuaKwzu4NLT-9Q/By-jVTBST