Avi Kubernetes Operator 1.13

1.13 1.12 1.11 1.10

Tenancy at Namespace Level of Kubernetes/OpenShift Cluster

This section elaborates the steps to enable Tenancy in
AKO
 to map each namespace in a single Kubernetes/OpenShift cluster uniquely to a tenant in
Avi Load Balancer
.
The following are the prerequisites to enable tenancy in AKO at the namespace level:
To enable tenancy:
  • At the namespace level, this can be achieved by adding an annotation to the namespace with the corresponding tenant name in
    Avi Load Balancer
    . This allows all resources within the namespace to use the annotated tenant, establishing a relationship between the namespace and the tenant in
    Avi Load Balancer
    .
  • AKO
     will determine the tenant to create
    Avi Load Balancer
     objects based on the annotation value of the
    ako.vmware.com/tenant-name
     specified in the namespace of the Kubernetes/OpenShift objects.
  • If the
    ako.vmware.com/tenant-name
     annotation is empty or missing,
    AKO
     will determine the tenant from the
    tenantName
     field.
  • All
    Avi Load Balancer
     object references in namespace scoped
    AKO
     CRDs must be accessible to the
    AKO
     user within the tenant specified by the namespace annotation. If they are inaccessible, the CRD will transition to an error status and will not be applied to the virtual services.
  • AKO
     users must be assigned the ako-tenant role for all tenants in use, allowing them to create or update
    AKO
     objects.
  • If a tenant is updated on a namespace, an
    AKO
     restart will be required to delete stale
    Avi Load Balancer
     objects and update the status correctly on Kubernetes/OpenShift objects.
  • This feature is not supported for services of type LoadBalancer using shared VIP.

Example of an Annotated Tenant in
AKO

In this example,
AKO
 will create virtual services in the billing tenant for Kubernetes/OpenShift objects within the n1 namespace. For other namespaces that do not have the annotation, virtual services will be created in the tenant where
AKO
 is installed.
apiVersion: v1
kind: Namespace
metadata:
annotations:
ako.vmware.com/tenant-name: billing
name: n1
With the above configuration,
AKO
 will map the n1 namespace to the billing tenant, and all objects will be created within that tenant.

Content feedback and comments