Re: K8s for VIO - cluster creation

tkingf5 · ‎03-13-2018

The pages covering creating an OpenStack Provider and a cluster are not clear what the relationship is between adding users and groups to a cluster vs. project members, nor what the provider user's role should be when adding the Provider. Should the Provider user be admin or can they be _member_? Do cluster users need to be added to the Provider project? What roles must they be when they are added? What is the space below the user and group boxes to add other users/groups? What are the requirements to use that field? What is the delimiter between them?

ssurana · ‎04-05-2018

Hi Tom,

The user/groups always live in openstack layer. Since for the SDDC provider we create a thin VIO under the covers thus the user/group management(CRUD) lies with the VIOK interface.

For the OpenStack provider the VIO-K layer only gives you a read-only view of the user/groups present in the VIO installation. Also, for this read-only view to work, the user cred that you are used at the time of provider creation needs to have an "admin" role in VIO. This is because a non-admin user in openstack cannot list other users/groups. However, having the user (in the provider) as an admin is NOT a requirement. You can use a user that is just a _member_ as well on a project. The only difference now would be that you will not be able to see the user/groups populated in the UI.

Now the users/groups in the context of the k8s cluster, here you are just doing the association.. For instance in a shared cluster, you create a namespace, and then assign existing openstack users/groups to this namespace for access. And for a exclusive cluster, you associate the same user/groups at the cluster level instead of the namespace level.

Note that there is no requirement for these users/groups to be part of the project you chose in the provider. The requirement is just for these users/groups to be a valid users from the openstack perspective.

Lets see the concept using an example:

in VIO say you have project A and project B. You have say users "admin", A1, A2, B1, B2 that exist in VIO with "admin" being the administrator role and others are just _member_. A1, A2 are member of project A and B1, B2 are members of project B

The only time when the user-> project assignment matters is for the user that you use to create the provider, as the chosen project will be used to create instances.

1. Now if you create a provider using "admin" as the user, and project B (call this P1), and then create a "shared" cluster C1. Then for C1 you can go to the VIOK UI you will be able to create a namespace and also see the list of users that you can choose from and assign them to the namespace. Here if you want you can create a namespace and assign B1,B2 to it as well.

2. Now with the same provider P1 above, you create an "exclusive" cluster C2. Then for C2 you can go to the VIOK UI you will be able to see the list of users that you can choose from and assign then to the cluster.

3. Now if you create a provider using "A1" as the user and project A (say P2), and then create a "shared" cluster C3. Then for C3 you can go to the VIOK UI you will be able to create a namespace, but you will not be able to see the list of users that you can choose from (since A1 is not a administrator), rather you can list the names of the users and groups in the space below the list (comma separated no extra spaces for e.g "A1,A2,B1") and assign them to the namespace.

4. Now with the same provider P2 above, you create an "exclusive" cluster C4. Then for C4 you can go to the VIOK UI but you will not be able to see the list of users that you can choose from (since A1 is not a administrator), rather you can list the names of the users and groups in the space below the list (comma separated no extra spaces) and assign them to the cluster C4.

Hope this helps, we will work on improving the docs further to explain this better.

Let us know if you have any other questions.

~ Sidharth

All

K8s for VIO - cluster creation