Workspaces
Multi-tenancy is implemented through workspaces. A workspace is a Kubernetes-cluster-like
HTTPS endpoint, i.e. an endpoint usual Kubernetes client tooling (client-go, controller-runtime
and others) and user interfaces (kubectl, helm, web console, ...) can talk to like to a
Kubernetes cluster. Workspaces become available under
/clusters/<parent-workspace-name>:<cluster-workspace-name>
.
Workspaces are backed by logical clusters, which means they are persisted in etcd on a shard with disjoint etcd prefix ranges, i.e. they have independent behaviour and no workspace sees objects from other workspaces. In contrast to namespace in Kubernetes, this includes non-namespaced objects, e.g. like CRDs where each workspace can have its own set of CRDs installed.
Note
For workspaces not backed by storage, check out virtual workspaces
that transform other APIs e.g. by projections or by applying visibility filters
(e.g. showing all workspaces or all namespaces the current user has access to).
Virtual workspaces are not part of the /clusters/
path structure.
Workspaces are represented to the user via the Workspace
kind, e.g.
kind: Workspace
apiVersion: tenancy.kcp.io/v1alpha1
spec:
type: Universal
status:
url: https://kcp.example.com/clusters/myapp
There are different types of workspaces, and workspaces are arranged in a tree. Each type of workspace may restrict the types of its children and may restrict the types it may be a child of; a parent-child relationship is allowed if and only if the parent allows the child and the child allows the parent.
Workspaces have a type. A type is defined by a WorkspaceType
. A type
defines initializers. They are set on new Workspace objects and block the
workspace from leaving the initializing phase. Both system components and
3rd party components can use initializers to customize Workspaces on creation,
e.g. to bootstrap resources inside the workspace, or to set up permission in its parent.
kcp comes with a built-in set of workspace types, and the admin may create objects that define additional types.
- Root Workspace is a singleton. It holds some data that applies
to all workspaces, such as the set of defined workspace types
(objects of type
WorkspaceType
). - HomeRoot Workspace is normally a singleton, holding the branch of workspaces that contains the user home workspaces as descendants. Can only be a child of the root workspace, and can only have HomeBucket children.
- HomeBucket Workspace are intermediate vertices in the hierarchy between the HomeRoot and the user home workspaces. Can be a child of the root or another HomeBucket workspace. Allowed children are home and HomeBucket workspaces.
- Home Workspace is a user's home workspace. These hold user resources such as applications with services, secrets, configmaps, deployments, etc. Can only be a child of a HomeBucket workspace.
- Universal Workspace is a basic type of workspace with no particular nature. Has no restrictions on parent or child workspace types.
The following workspace types are created by kcp if the workspace-types
battery
is enabled:
- Organization Workspace are workspaces holding organizational data, e.g. definitions of user workspaces, roles, policies, accounting data. Can only be a child of root.
- Team Workspace can only be a child of an Organization workspace.
A workspace of type Universal
is a workspace without further initialization
or special properties by default, and it can be used without a corresponding
WorkspaceType
object (though one can be added and its initializers will be
applied).
Note
In order to create workspaces of a given type (including Universal
)
you must have use
permissions against the workspacetypes
resources with the
lower-case name of the cluster workspace type (e.g. universal
). All system:authenticated
users inherit this permission automatically for type Universal
.
The different workspace types are discussed below.
User Home Workspaces
User home workspaces are an optional feature of kcp. If enabled (through --enable-home-workspaces
), there is a special
virtual Workspace
called ~
in the root workspace. It is used by kubectl ws
to derive the full path to the user
home workspace, similar to how Unix cd ~
move the users to their home.
The full path for a user's home workspace has a number of parts: <prefix>(:<bucket>)+:<user-name>
. Buckets are used to
ensure that at most ~1000 sub-buckets or users exist in any bucket, for scaling reasons. The bucket names are deterministically
derived from the user name (via some hash). Example for user adam
when using default configuration:
root:users:a8:f1:adam
.
User home workspaces are created on-demand when they are first accessed, but this is not visible to the user, allowing
the system to only incur the cost of these workspaces when they are needed. Only users of the configured
home-creator-groups (default system:authenticated
) will have a home workspace.
Bucket Configuration Options
The kcp
administrator can configure:
<prefix>
, which defaults toroot:users
- bucket depth, which defaults to 2
- bucket name length, in characters, which defaults to 2
The following outlines valid configuration options. With the default setup, ~5 users or ~700 sub-buckets will be in any bucket.
Warning
DO NOT set the bucket size to be longer than 2, as this will adversely impact performance.
User-names have (26 * [(26 + 10 + 2) * 61] * 36 = 2169648)
permutations, and buckets are made up of lowercase-alpha
chars. Invalid configurations break the scale limit in sub-buckets or users. Valid configurations should target
having not more than ~1000 sub-buckets per bucket and at least 5 users per bucket.
Valid Configurations
length | depth | sub-buckets | users |
---|---|---|---|
1 | 3 | 26 * 1 = 26 | 2169648 / (26)^3 = 124 |
1 | 4 | 26 * 1 = 26 | 2169648 / (26)^4 = 5 |
2 | 2 | 26 * 26 = 676 | 2169648 / (26*26)^2 = 5 |
Invalid Configurations
These are examples of invalid configurations and are for illustrative purposes only. In nearly all cases, the default values will be sufficient.
length | depth | sub-buckets | users |
---|---|---|---|
1 | 1 | 26 * 1 = 26 | 2169648 / (26) = 83448 |
1 | 2 | 26 * 1 = 26 | 2169648 / (26)^2 = 3209 |
2 | 1 | 26 * 26 = 676 | 2169648 / (26*26) = 3209 |
2 | 3 | 26 * 26 = 676 | 2169648 / (26*26)^3 = .007 |
3 | 1 | 26 26 26 = 17576 | 2169648 / (262626) = 124 |
3 | 2 | 26 26 26 = 17576 | 2169648 / (262626)^2 = .007 |
Organization Workspaces
Organization workspaces are workspaces of type Organization
, defined in the
root workspace. Organization workspaces are accessible at /clusters/root:<org-name>
.
Note
The organization WorkspaceType can only be created in the root workspace verified through admission.
Organization workspaces have standard resources (on-top of Universal
workspaces)
which include the Workspace
API defined through an CRD deployed during
organization workspace initialization.
Root Workspace
The default root workspace is a singleton in the system accessible under /clusters/root
.
It is not represented by a Workspace
anywhere, but shares the same properties.
Inside the root workspace at least the following resources are bootstrapped on kcp startup:
- Workspace CRD
- WorkspaceType CRD
- Shard CRD
- Partion CRD
- PartionSet CRD
The root workspace is the only one that holds Shard
objects. Shards
are used to schedule a new Workspace to, i.e. to select in which etcd the
workspace content is to be persisted.
System Workspaces
System workspaces are local to a shard and are named in the pattern system:<system-workspace-name>
.
System workspace are only accessible to a shard-local admin user, and there is neither a definition via a Workspace, nor is there any validation of requests that the system workspace exists.
As an example, the system:admin
workspace exists for administrative objects
that are scoped to the local shard (e.g. lease
objects for kcp internal controllers if
leader election is enabled). It is accessible via /clusters/system:admin
.