SlideShare a Scribd company logo

20171010 multitenancy in openshift

Download as PPTX, PDF
Smals
Smals

1) The document discusses implementing a multi-tenant isolation approach in a single Openshift cluster to provide isolated environments for multiple tenants. 2) Some key constraints of the multi-tenant approach are centralized management of the Openshift cluster, no direct communication between tenants, integrating tenants' infrastructure, and no interference between tenants. 3) The implementation uses techniques like tagging projects and nodes per tenant, blocking network access between tenants, and delegating access rights to provide isolated environments for each tenant in the shared Openshift cluster.

1 of 41
Implementing multi-tenant isolation in a single Openshift cluster Red Hat Forum, Breda (NL), 10/10/2017 www.gcloud.belgium.be 1
Introducing G-Cloud 2
• Focus = Synergy in ICT-services • Services provided by different institutions / service owners • In close collaboration with private sector G-Cloud = Belgian government Cloud 3 www.gcloud.belgium.be
Business applications Hard infrastructure Soft infrastructure Platform Standard components & applications Housing LAN/WAN Network Storage BabelFed ITSM Service desk Web Content Management BeConnected Unified Communications & Collaboration Internet Access ProtectionBackup Archiving IAM / ShaD G-Cloud-projects 4 GreenShift Open Source YellowShift Microsoft BlueShift IBM RedShift Oracle Business Intelligence & Big Data Analytics Sharepoint Virtual Machine Hypervisor Bare Metal Preparation Realization Service On hold
G-Cloud entry points 5 Service owner:
Shared ICT services in social security & e-health since… 1939
About Smals 7 • In-house ICT services for government – Governed by Belgian public institutions – Members only – Services provided at cost • Focus on social security & health • Activities: – Software development – Infrastructure management – Staffing • Approximately 1790 employees – looking for 50 more (jobs@smals.be)
Over 200 member institutions Federal – Regional – Local
Timeline 9
Proof of concept OSE 3.0 10 • Coming from single tenant OSE 2 • Set up OSE 3 proof of concept – Single shared node pool – Not multitenant Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster PoC Openshift 3.0
Multitenant cluster 11 • Multiple partners: – organization or government institution • Multiple tenants per partner Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster PoC Openshift 3.0
Define: tenant • Tenant has – Multiple teams – Different access rights per team – Multiple applications 12
Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 13 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 14 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
Centralized management • Shared master(s) • Shared services 15
Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 16 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
Integrate with partners’ infra • Pods can access resources in a partner’s network – Databases – Webservices – … 17
Integrate with partners’ infra • Nodes in subnet of partner network • Nodes in single network with master 18
Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 19 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
No direct communication • Pods from different tenants should not be able access each other – Pods can by default access services in other project (in OVS subnet SDN) – Access to pods via routes and routers (router IP) • Pods should not be able to access resources from a different tenant – Databases – Image repository – Webservices 20
No direct communication • Blocked everything on network level 21
Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 22 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
No interference • A tenant should not see changes another tenant made • A tenant should not see effects of changes another tenant made 23
No interference • Projects are invisible to users that do not have access to them • Nodes are global for master – solution: tag nodes per tenant, all tenant projects have a nodeselector defined • Unique names for projects – workaround via name convention: prefix per tenant 24
Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 25 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
Delegate rights to tenant • Organize access rights per tenant – Different teams with different accesses – Tenant admin with access to all • Manage who can access which routes • Manage which pods can access which resources 26
Organize access rights per tenant 27 • Openshift “Project”: – Group of resources – Access rights to those resources – No nesting of projects (unlike Openstack & cloudforms)
Organize access rights per tenant • Organize resources and access rights to them in projects • Tag projects as belonging to a tenant 28
Organize access rights per tenant • We want to define a tenant admin • Openshift roles: project based or cluster based • Tenant admin contacts cluster admin –Temporary solution (does not scale) 29
Manage access • Traffic to router(s) has to pass through partner network • Partner controls access from pods to resources in partner network – Needs to open access to all nodes because pod can change nodes 30
OVS Multitenant SDN 31 • Use new feature “OVS multitenant SDN”? – Would partially solve No direct communication – We can only limit access to router based on IP address, we still have to limit access based on node instead of on pod • Large impact if implemented • Decided to wait for other solutions Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster PoC Openshift 3.0
Self-service 33 • Self service for tasks that cannot be delegated or require systems outside Openshift – Via cloudforms using Openshift API Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster PoC Openshift 3.0
Self-service • Automatically set up tags and nodeselectors for our tenant setup during project creation • Tenant admin is by default project admin of all projects within tenant • Other services outside of Openshift 34
Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Too big to succeed 35 PoC Openshift 3.0 • Each node keeps track of all the services in the cluster – Growing overhead on every node per service on the cluster (due to ip tables) – Noticeable for us around 500 services – May need to think about splitting clusters
Wrapping up 36
Summary • Project: – tagged with tenant – defined nodeselector – has to follow name convention • Node: – tagged with tenant: dedicated node pool – in tenant network – in dedicated subnet for tenant in service network 37
Current state • Running version: openshift 3.3 • 250 Nodes / 500 projects / 2000 pods • Large mission critical e-gov applications – in production 38
Evaluation of the design • Good – Pods are blocked from other tenants' resources – Pods of one tenant cannot access pods from other tenant – Integration with existing customer resources – Standardized framework facilitates scheduling, capacity planning and reporting – Single cluster to manage • Bad – Dedicated node pools • Need a buffer per node pool • Use more nodes compared to a single shared node pool – Standardized framework: tenant cannot deviate – Single large cluster: unforeseen overhead (e.g IPtables) 39
Lessons learned • Openshift is still adding new features – Regularly review design • Uncommon setup – First to find limitations and issues – Have to create new workarounds 40
Future plans • Automatically upgrade Openshift cluster • Set up multiple clusters – Overhead of large sized cluster (ip tables) – Smaller clusters to upgrade – More flexible for partners • External SDN • Experiment with new functionalities (egress router) 41
Questions? Comments? Applicants? (jobs@smals.be) https://www.gcloud.belgium.be/ greenshift@gcloud.belgium.be https://www.smals.be https://www.slideshare.net/Smals_ICT/ https://www.smalsresearch.be/ 42

Recommended

Microservices Network Architecture 101
Microservices Network Architecture 101Microservices Network Architecture 101
Microservices Network Architecture 101
Cumulus Networks
 
Docker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksDocker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined Networks
Adrien Blind
 
Designing scalable Docker networks
Designing scalable Docker networksDesigning scalable Docker networks
Designing scalable Docker networks
Murat Mukhtarov
 
Open vSwitch Implementation Options
Open vSwitch Implementation Options Open vSwitch Implementation Options
Open vSwitch Implementation Options
Netronome
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on LinuxEtsuji Nakai
 
Linux networking is Awesome!
Linux networking is Awesome!Linux networking is Awesome!
Linux networking is Awesome!
Cumulus Networks
 
An Overview of Linux Networking Options
An Overview of Linux Networking OptionsAn Overview of Linux Networking Options
An Overview of Linux Networking Options
Scott Lowe
 
Tutorial on using CoreOS Flannel for Docker networking
Tutorial on using CoreOS Flannel for Docker networkingTutorial on using CoreOS Flannel for Docker networking
Tutorial on using CoreOS Flannel for Docker networking
LorisPack Project
 

Recommended

Microservices Network Architecture 101
Microservices Network Architecture 101Microservices Network Architecture 101
Microservices Network Architecture 101
Cumulus Networks
 
Docker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksDocker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined Networks
Adrien Blind
 
Designing scalable Docker networks
Designing scalable Docker networksDesigning scalable Docker networks
Designing scalable Docker networks
Murat Mukhtarov
 
Open vSwitch Implementation Options
Open vSwitch Implementation Options Open vSwitch Implementation Options
Open vSwitch Implementation Options
Netronome
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on LinuxEtsuji Nakai
 
Linux networking is Awesome!
Linux networking is Awesome!Linux networking is Awesome!
Linux networking is Awesome!
Cumulus Networks
 
An Overview of Linux Networking Options
An Overview of Linux Networking OptionsAn Overview of Linux Networking Options
An Overview of Linux Networking Options
Scott Lowe
 
Tutorial on using CoreOS Flannel for Docker networking
Tutorial on using CoreOS Flannel for Docker networkingTutorial on using CoreOS Flannel for Docker networking
Tutorial on using CoreOS Flannel for Docker networking
LorisPack Project
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
YongKi Kim
 
Docker networking tutorial 102
Docker networking tutorial 102Docker networking tutorial 102
Docker networking tutorial 102
LorisPack Project
 
Sdnds tw-meetup-2
Sdnds tw-meetup-2Sdnds tw-meetup-2
Sdnds tw-meetup-2
Fei Ji Siao
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch Introduction
HungWei Chiu
 
Open VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsOpen VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needs
rranjithrajaram
 
Tech Talk by Ben Pfaff: Open vSwitch - Part 2
Tech Talk by Ben Pfaff: Open vSwitch - Part 2Tech Talk by Ben Pfaff: Open vSwitch - Part 2
Tech Talk by Ben Pfaff: Open vSwitch - Part 2
nvirters
 
Docker meetup
Docker meetupDocker meetup
Docker meetup
syed1
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
LinuxCon ContainerCon CloudOpen China
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep dive
Trinath Somanchi
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
LinuxCon ContainerCon CloudOpen China
 
Networking in Docker Containers
Networking in Docker ContainersNetworking in Docker Containers
Networking in Docker Containers
Attila Kanto
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
LinuxCon ContainerCon CloudOpen China
 
Building a network emulator with Docker and Open vSwitch
Building a network emulator with Docker and Open vSwitchBuilding a network emulator with Docker and Open vSwitch
Building a network emulator with Docker and Open vSwitch
Goran Cetusic
 
VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話
upaa
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
Phil Estes
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
Brent Salisbury
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testing
Antonio Ojea Garcia
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
Te-Yen Liu
 
UEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS BootUEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS Boot
LinuxCon ContainerCon CloudOpen China
 
Weave Networking on Docker
Weave Networking on DockerWeave Networking on Docker
Weave Networking on DockerStylight
 
LISA2017 Big Three Cloud Networking
LISA2017 Big Three Cloud NetworkingLISA2017 Big Three Cloud Networking
LISA2017 Big Three Cloud Networking
Chris McEniry
 
Serverless microservices
Serverless microservicesServerless microservices
Serverless microservices
Lalit Kale
 

More Related Content

What's hot

Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
YongKi Kim
 
Docker networking tutorial 102
Docker networking tutorial 102Docker networking tutorial 102
Docker networking tutorial 102
LorisPack Project
 
Sdnds tw-meetup-2
Sdnds tw-meetup-2Sdnds tw-meetup-2
Sdnds tw-meetup-2
Fei Ji Siao
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch Introduction
HungWei Chiu
 
Open VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsOpen VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needs
rranjithrajaram
 
Tech Talk by Ben Pfaff: Open vSwitch - Part 2
Tech Talk by Ben Pfaff: Open vSwitch - Part 2Tech Talk by Ben Pfaff: Open vSwitch - Part 2
Tech Talk by Ben Pfaff: Open vSwitch - Part 2
nvirters
 
Docker meetup
Docker meetupDocker meetup
Docker meetup
syed1
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
LinuxCon ContainerCon CloudOpen China
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep dive
Trinath Somanchi
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
LinuxCon ContainerCon CloudOpen China
 
Networking in Docker Containers
Networking in Docker ContainersNetworking in Docker Containers
Networking in Docker Containers
Attila Kanto
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
LinuxCon ContainerCon CloudOpen China
 
Building a network emulator with Docker and Open vSwitch
Building a network emulator with Docker and Open vSwitchBuilding a network emulator with Docker and Open vSwitch
Building a network emulator with Docker and Open vSwitch
Goran Cetusic
 
VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話
upaa
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
Phil Estes
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
Brent Salisbury
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testing
Antonio Ojea Garcia
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
Te-Yen Liu
 
UEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS BootUEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS Boot
LinuxCon ContainerCon CloudOpen China
 
Weave Networking on Docker
Weave Networking on DockerWeave Networking on Docker
Weave Networking on DockerStylight
 

What's hot (20)

Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
 
Docker networking tutorial 102
Docker networking tutorial 102Docker networking tutorial 102
Docker networking tutorial 102
 
Sdnds tw-meetup-2
Sdnds tw-meetup-2Sdnds tw-meetup-2
Sdnds tw-meetup-2
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch Introduction
 
Open VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsOpen VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needs
 
Tech Talk by Ben Pfaff: Open vSwitch - Part 2
Tech Talk by Ben Pfaff: Open vSwitch - Part 2Tech Talk by Ben Pfaff: Open vSwitch - Part 2
Tech Talk by Ben Pfaff: Open vSwitch - Part 2
 
Docker meetup
Docker meetupDocker meetup
Docker meetup
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep dive
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
 
Networking in Docker Containers
Networking in Docker ContainersNetworking in Docker Containers
Networking in Docker Containers
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
 
Building a network emulator with Docker and Open vSwitch
Building a network emulator with Docker and Open vSwitchBuilding a network emulator with Docker and Open vSwitch
Building a network emulator with Docker and Open vSwitch
 
VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testing
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
UEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS BootUEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS Boot
 
Weave Networking on Docker
Weave Networking on DockerWeave Networking on Docker
Weave Networking on Docker
 

Similar to 20171010 multitenancy in openshift

LISA2017 Big Three Cloud Networking
LISA2017 Big Three Cloud NetworkingLISA2017 Big Three Cloud Networking
LISA2017 Big Three Cloud Networking
Chris McEniry
 
Serverless microservices
Serverless microservicesServerless microservices
Serverless microservices
Lalit Kale
 
chapter 2 architecture
chapter 2 architecturechapter 2 architecture
chapter 2 architecture
Sharda University Greater Noida
 
1..pptxcloud commuting cloud commuting cloud commuting
1..pptxcloud commuting cloud commuting cloud commuting1..pptxcloud commuting cloud commuting cloud commuting
1..pptxcloud commuting cloud commuting cloud commuting
SarthakSrivastava70
 
Multicluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsMulticluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh Patterns
Christian Posta
 
Software Defined Networking: Network Virtualization
Software Defined Networking: Network VirtualizationSoftware Defined Networking: Network Virtualization
Software Defined Networking: Network Virtualization
NetCraftsmen
 
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cohesive Networks
 
Network architecture design for microservices on GCP
Network architecture design for microservices on GCPNetwork architecture design for microservices on GCP
Network architecture design for microservices on GCP
Raphaël FRAYSSE
 
ENC 254_PPT_ch01.pptx
ENC 254_PPT_ch01.pptxENC 254_PPT_ch01.pptx
ENC 254_PPT_ch01.pptx
shaker402
 
Net+, 6th Ed. CH. 1
Net+, 6th Ed. CH. 1Net+, 6th Ed. CH. 1
Net+, 6th Ed. CH. 1
WedgeB
 
Telecommunications systemsand networking
Telecommunications systemsand networkingTelecommunications systemsand networking
Telecommunications systemsand networking
Online
 
MidoNet gives OpenStack Neutron a Boost
MidoNet gives OpenStack Neutron a BoostMidoNet gives OpenStack Neutron a Boost
MidoNet gives OpenStack Neutron a Boost
OpenStack_Online
 
Microservices: The Right Way
Microservices: The Right WayMicroservices: The Right Way
Microservices: The Right Way
Daniel Woods
 
Container Networking Deep Dive
Container Networking Deep DiveContainer Networking Deep Dive
Container Networking Deep Dive
Open Networking Summit
 
Multi-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshMulti-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMesh
Christian Posta
 
OIT552 Cloud Computing Material
OIT552 Cloud Computing MaterialOIT552 Cloud Computing Material
OIT552 Cloud Computing Material
pkaviya
 
Mumbai MuleSoft Meetup 12
Mumbai MuleSoft Meetup 12Mumbai MuleSoft Meetup 12
Mumbai MuleSoft Meetup 12
Akshata Sawant
 
Microservices with Node and Docker
Microservices with Node and DockerMicroservices with Node and Docker
Microservices with Node and Docker
Tony Pujals
 
All Things Open SDN, NFV and Open Daylight
All Things Open SDN, NFV and Open Daylight All Things Open SDN, NFV and Open Daylight
All Things Open SDN, NFV and Open Daylight
Mark Hinkle
 
Collaborating with OpenDaylight for a Network-Enabled Cloud
Collaborating with OpenDaylight for a Network-Enabled CloudCollaborating with OpenDaylight for a Network-Enabled Cloud
Collaborating with OpenDaylight for a Network-Enabled Cloud
Tesora
 

Similar to 20171010 multitenancy in openshift (20)

LISA2017 Big Three Cloud Networking
LISA2017 Big Three Cloud NetworkingLISA2017 Big Three Cloud Networking
LISA2017 Big Three Cloud Networking
 
Serverless microservices
Serverless microservicesServerless microservices
Serverless microservices
 
chapter 2 architecture
chapter 2 architecturechapter 2 architecture
chapter 2 architecture
 
1..pptxcloud commuting cloud commuting cloud commuting
1..pptxcloud commuting cloud commuting cloud commuting1..pptxcloud commuting cloud commuting cloud commuting
1..pptxcloud commuting cloud commuting cloud commuting
 
Multicluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsMulticluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh Patterns
 
Software Defined Networking: Network Virtualization
Software Defined Networking: Network VirtualizationSoftware Defined Networking: Network Virtualization
Software Defined Networking: Network Virtualization
 
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
 
Network architecture design for microservices on GCP
Network architecture design for microservices on GCPNetwork architecture design for microservices on GCP
Network architecture design for microservices on GCP
 
ENC 254_PPT_ch01.pptx
ENC 254_PPT_ch01.pptxENC 254_PPT_ch01.pptx
ENC 254_PPT_ch01.pptx
 
Net+, 6th Ed. CH. 1
Net+, 6th Ed. CH. 1Net+, 6th Ed. CH. 1
Net+, 6th Ed. CH. 1
 
Telecommunications systemsand networking
Telecommunications systemsand networkingTelecommunications systemsand networking
Telecommunications systemsand networking
 
MidoNet gives OpenStack Neutron a Boost
MidoNet gives OpenStack Neutron a BoostMidoNet gives OpenStack Neutron a Boost
MidoNet gives OpenStack Neutron a Boost
 
Microservices: The Right Way
Microservices: The Right WayMicroservices: The Right Way
Microservices: The Right Way
 
Container Networking Deep Dive
Container Networking Deep DiveContainer Networking Deep Dive
Container Networking Deep Dive
 
Multi-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshMulti-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMesh
 
OIT552 Cloud Computing Material
OIT552 Cloud Computing MaterialOIT552 Cloud Computing Material
OIT552 Cloud Computing Material
 
Mumbai MuleSoft Meetup 12
Mumbai MuleSoft Meetup 12Mumbai MuleSoft Meetup 12
Mumbai MuleSoft Meetup 12
 
Microservices with Node and Docker
Microservices with Node and DockerMicroservices with Node and Docker
Microservices with Node and Docker
 
All Things Open SDN, NFV and Open Daylight
All Things Open SDN, NFV and Open Daylight All Things Open SDN, NFV and Open Daylight
All Things Open SDN, NFV and Open Daylight
 
Collaborating with OpenDaylight for a Network-Enabled Cloud
Collaborating with OpenDaylight for a Network-Enabled CloudCollaborating with OpenDaylight for a Network-Enabled Cloud
Collaborating with OpenDaylight for a Network-Enabled Cloud
 

More from Smals

Wat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we zeWat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we ze
Smals
 
Wat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nlWat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nl
Smals
 
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nlNamed entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
Smals
 
Natural language generation nederlands
Natural language generation nederlandsNatural language generation nederlands
Natural language generation nederlands
Smals
 
Wat is ai en wat kan het nl
Wat is ai en wat kan het nlWat is ai en wat kan het nl
Wat is ai en wat kan het nl
Smals
 
Realite augmentee
Realite augmenteeRealite augmentee
Realite augmentee
Smals
 
Internet des objets
Internet des objetsInternet des objets
Internet des objets
Smals
 
Chatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sertChatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sert
Smals
 
Analyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sertAnalyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sert
Smals
 
Traduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introductionTraduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introduction
Smals
 
Automatisation des processus robotises introduction
Automatisation des processus robotises introductionAutomatisation des processus robotises introduction
Automatisation des processus robotises introduction
Smals
 
Interfaces conversationnelle introduction
Interfaces conversationnelle introductionInterfaces conversationnelle introduction
Interfaces conversationnelle introduction
Smals
 
Reconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introductionReconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introduction
Smals
 
Generation automatique de textes
Generation automatique de textesGeneration automatique de textes
Generation automatique de textes
Smals
 
Intelligence artificielle etroite introduction
Intelligence artificielle etroite introductionIntelligence artificielle etroite introduction
Intelligence artificielle etroite introduction
Smals
 
Named entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doenNamed entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doen
Smals
 
Real time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat hetReal time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat het
Smals
 
Wat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruikenWat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruiken
Smals
 
Wat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doenWat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doen
Smals
 
Exemples europeens comme source d inspiration
Exemples europeens comme source d inspirationExemples europeens comme source d inspiration
Exemples europeens comme source d inspiration
Smals
 

More from Smals (20)

Wat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we zeWat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we ze
 
Wat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nlWat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nl
 
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nlNamed entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
 
Natural language generation nederlands
Natural language generation nederlandsNatural language generation nederlands
Natural language generation nederlands
 
Wat is ai en wat kan het nl
Wat is ai en wat kan het nlWat is ai en wat kan het nl
Wat is ai en wat kan het nl
 
Realite augmentee
Realite augmenteeRealite augmentee
Realite augmentee
 
Internet des objets
Internet des objetsInternet des objets
Internet des objets
 
Chatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sertChatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sert
 
Analyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sertAnalyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sert
 
Traduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introductionTraduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introduction
 
Automatisation des processus robotises introduction
Automatisation des processus robotises introductionAutomatisation des processus robotises introduction
Automatisation des processus robotises introduction
 
Interfaces conversationnelle introduction
Interfaces conversationnelle introductionInterfaces conversationnelle introduction
Interfaces conversationnelle introduction
 
Reconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introductionReconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introduction
 
Generation automatique de textes
Generation automatique de textesGeneration automatique de textes
Generation automatique de textes
 
Intelligence artificielle etroite introduction
Intelligence artificielle etroite introductionIntelligence artificielle etroite introduction
Intelligence artificielle etroite introduction
 
Named entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doenNamed entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doen
 
Real time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat hetReal time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat het
 
Wat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruikenWat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruiken
 
Wat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doenWat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doen
 
Exemples europeens comme source d inspiration
Exemples europeens comme source d inspirationExemples europeens comme source d inspiration
Exemples europeens comme source d inspiration
 

Recently uploaded

2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
johnmarimigallon
 
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Congressional Budget Office
 
Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023
ARCResearch
 
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdfPNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
ClaudioTebaldi2
 
Donate to charity during this holiday season
Donate to charity during this holiday seasonDonate to charity during this holiday season
Donate to charity during this holiday season
SERUDS INDIA
 
Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200
GrantManagementInsti
 
A proposed request for information on LIHTC
A proposed request for information on LIHTCA proposed request for information on LIHTC
A proposed request for information on LIHTC
Roger Valdez
 
Get Government Grants and Assistance Program
Get Government Grants and Assistance ProgramGet Government Grants and Assistance Program
Get Government Grants and Assistance Program
Get Government Grants
 
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
850fcj96
 
ZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdfZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdf
Saeed Al Dhaheri
 
Transit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group MeetingTransit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group Meeting
Cuyahoga County Planning Commission
 
NHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdfNHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdf
AjayVejendla3
 
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
Congressional Budget Office
 
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
850fcj96
 
2024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 372024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 37
JSchaus & Associates
 
2024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 382024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 38
JSchaus & Associates
 
Invitation Letter for an alumni association
Invitation Letter for an alumni associationInvitation Letter for an alumni association
Invitation Letter for an alumni association
elmerdalida001
 
kupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptxkupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptx
viderakai
 
State crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public financesState crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public finances
ResolutionFoundation
 
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
OECDregions
 

Recently uploaded (20)

2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
 
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
 
Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023
 
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdfPNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
 
Donate to charity during this holiday season
Donate to charity during this holiday seasonDonate to charity during this holiday season
Donate to charity during this holiday season
 
Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200
 
A proposed request for information on LIHTC
A proposed request for information on LIHTCA proposed request for information on LIHTC
A proposed request for information on LIHTC
 
Get Government Grants and Assistance Program
Get Government Grants and Assistance ProgramGet Government Grants and Assistance Program
Get Government Grants and Assistance Program
 
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
 
ZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdfZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdf
 
Transit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group MeetingTransit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group Meeting
 
NHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdfNHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdf
 
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
 
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
 
2024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 372024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 37
 
2024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 382024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 38
 
Invitation Letter for an alumni association
Invitation Letter for an alumni associationInvitation Letter for an alumni association
Invitation Letter for an alumni association
 
kupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptxkupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptx
 
State crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public financesState crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public finances
 
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
 

20171010 multitenancy in openshift

  • 1. Implementing multi-tenant isolation in a single Openshift cluster Red Hat Forum, Breda (NL), 10/10/2017 www.gcloud.belgium.be 1
  • 3. • Focus = Synergy in ICT-services • Services provided by different institutions / service owners • In close collaboration with private sector G-Cloud = Belgian government Cloud 3 www.gcloud.belgium.be
  • 4. Business applications Hard infrastructure Soft infrastructure Platform Standard components & applications Housing LAN/WAN Network Storage BabelFed ITSM Service desk Web Content Management BeConnected Unified Communications & Collaboration Internet Access ProtectionBackup Archiving IAM / ShaD G-Cloud-projects 4 GreenShift Open Source YellowShift Microsoft BlueShift IBM RedShift Oracle Business Intelligence & Big Data Analytics Sharepoint Virtual Machine Hypervisor Bare Metal Preparation Realization Service On hold
  • 6. Shared ICT services in social security & e-health since… 1939
  • 7. About Smals 7 • In-house ICT services for government – Governed by Belgian public institutions – Members only – Services provided at cost • Focus on social security & health • Activities: – Software development – Infrastructure management – Staffing • Approximately 1790 employees – looking for 50 more (jobs@smals.be)
  • 8. Over 200 member institutions Federal – Regional – Local
  • 10. Proof of concept OSE 3.0 10 • Coming from single tenant OSE 2 • Set up OSE 3 proof of concept – Single shared node pool – Not multitenant Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster PoC Openshift 3.0
  • 11. Multitenant cluster 11 • Multiple partners: – organization or government institution • Multiple tenants per partner Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster PoC Openshift 3.0
  • 12. Define: tenant • Tenant has – Multiple teams – Different access rights per team – Multiple applications 12
  • 13. Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 13 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
  • 14. Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 14 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
  • 15. Centralized management • Shared master(s) • Shared services 15
  • 16. Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 16 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
  • 17. Integrate with partners’ infra • Pods can access resources in a partner’s network – Databases – Webservices – … 17
  • 18. Integrate with partners’ infra • Nodes in subnet of partner network • Nodes in single network with master 18
  • 19. Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 19 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
  • 20. No direct communication • Pods from different tenants should not be able access each other – Pods can by default access services in other project (in OVS subnet SDN) – Access to pods via routes and routers (router IP) • Pods should not be able to access resources from a different tenant – Databases – Image repository – Webservices 20
  • 21. No direct communication • Blocked everything on network level 21
  • 22. Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 22 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
  • 23. No interference • A tenant should not see changes another tenant made • A tenant should not see effects of changes another tenant made 23
  • 24. No interference • Projects are invisible to users that do not have access to them • Nodes are global for master – solution: tag nodes per tenant, all tenant projects have a nodeselector defined • Unique names for projects – workaround via name convention: prefix per tenant 24
  • 25. Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Multitenant cluster constraints 25 PoC Openshift 3.0 Centralized management of Openshift cluster No direct communication between tenants Integrate with partners’ infrastructure No interference between tenants Delegate rights to tenant
  • 26. Delegate rights to tenant • Organize access rights per tenant – Different teams with different accesses – Tenant admin with access to all • Manage who can access which routes • Manage which pods can access which resources 26
  • 27. Organize access rights per tenant 27 • Openshift “Project”: – Group of resources – Access rights to those resources – No nesting of projects (unlike Openstack & cloudforms)
  • 28. Organize access rights per tenant • Organize resources and access rights to them in projects • Tag projects as belonging to a tenant 28
  • 29. Organize access rights per tenant • We want to define a tenant admin • Openshift roles: project based or cluster based • Tenant admin contacts cluster admin –Temporary solution (does not scale) 29
  • 30. Manage access • Traffic to router(s) has to pass through partner network • Partner controls access from pods to resources in partner network – Needs to open access to all nodes because pod can change nodes 30
  • 31. OVS Multitenant SDN 31 • Use new feature “OVS multitenant SDN”? – Would partially solve No direct communication – We can only limit access to router based on IP address, we still have to limit access based on node instead of on pod • Large impact if implemented • Decided to wait for other solutions Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster PoC Openshift 3.0
  • 32. Self-service 33 • Self service for tasks that cannot be delegated or require systems outside Openshift – Via cloudforms using Openshift API Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster PoC Openshift 3.0
  • 33. Self-service • Automatically set up tags and nodeselectors for our tenant setup during project creation • Tenant admin is by default project admin of all projects within tenant • Other services outside of Openshift 34
  • 34. Too big to succeed Self service OSE 3.1: OVS multitenant SDN Multitenant cluster Too big to succeed 35 PoC Openshift 3.0 • Each node keeps track of all the services in the cluster – Growing overhead on every node per service on the cluster (due to ip tables) – Noticeable for us around 500 services – May need to think about splitting clusters
  • 36. Summary • Project: – tagged with tenant – defined nodeselector – has to follow name convention • Node: – tagged with tenant: dedicated node pool – in tenant network – in dedicated subnet for tenant in service network 37
  • 37. Current state • Running version: openshift 3.3 • 250 Nodes / 500 projects / 2000 pods • Large mission critical e-gov applications – in production 38
  • 38. Evaluation of the design • Good – Pods are blocked from other tenants' resources – Pods of one tenant cannot access pods from other tenant – Integration with existing customer resources – Standardized framework facilitates scheduling, capacity planning and reporting – Single cluster to manage • Bad – Dedicated node pools • Need a buffer per node pool • Use more nodes compared to a single shared node pool – Standardized framework: tenant cannot deviate – Single large cluster: unforeseen overhead (e.g IPtables) 39
  • 39. Lessons learned • Openshift is still adding new features – Regularly review design • Uncommon setup – First to find limitations and issues – Have to create new workarounds 40
  • 40. Future plans • Automatically upgrade Openshift cluster • Set up multiple clusters – Overhead of large sized cluster (ip tables) – Smaller clusters to upgrade – More flexible for partners • External SDN • Experiment with new functionalities (egress router) 41

Editor's Notes

  1. UCC: Voice beschikbaar / mail in uitbouw (december) ShaD: federation beschikbaar / andere versies in uitbouw