Multi-tenancy allows you to completely isolate tenants from each other on the same Quobyte cluster. By default, this isolation is on the logical level. This means that tenants cannot see and access each other's resources. However, you can also add full hardware isolation so that tenants don't share the same drives or servers using the Quobyte Policy Engine.
The Quobyte CSI plugin can direct all persistent volume claims (PVCs) to a single Quobyte tenant or map Kubernetes namespaces onto Quobyte tenants. The first option is the best choice when you have multiple clusters, e.g. one per group, and you want to consolidate the storage for all Kubernetes clusters on one Quobyte cluster.
The alternative of automatically mapping the Kubernetes namespaces onto Quobyte tenants is suitable for situations where you have one or more Kubernetes clusters that are already shared among groups. If enabled, Quobyte maps the name of the Kubernetes namespace to a Quobyte tenant, i.e. there needs to be a corresponding tenant with the exact same spelling in your Quobyte cluster.
Next, we have to tell the Quobyte CSI plugin to map Kubernetes namespaces onto Quobyte tenants:
quobyte-csi-driver/values.yaml file and set
useK8SNamespaceAsTenant: trueIf you want to use access keys, you should also set
Or if you want to map a whole cluster to a tenant, you leave
useK8SNamespaceAsTenant: falseand add the tenant to the
StorageClass.yaml(you can read more about storage classes with Quobyte here):
apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: quobyte-storage provisioner: csi.quobyte.com allowVolumeExpansion: true parameters: quobyteTenant: "Department A" ...Deploy or install the Quobyte CSI plugin:
helm install quobyte-csi ./quobyte-csi-driver
Now you have to map your users to tenants. If you use the internal database in Quobyte you just have to add a tenant membership to the each user:
If you use LDAP you have to map LDAP groups onto Quobyte tenants:
And that's it. When a user creates a PVC in a namespace the Quobyte CSI plugin will create a corresponding Quobyte volume in the tenant matching the namespace.
If you want your users to be able to check their resource utilization or create access keys, they can log into the Quobyte Webconsole:
How to set up shared file system (RWX) persistent volumes on Kubernetes with Quobyte
How to combine flash and HDD in Quobyte for fast and cost-effective Persistent Volumes
Confused by PV, PCV, CSI? Read our gloassary on K8s storage terms.
How to connect Kubernetes StorageClasses to the Quobyte Policy Engine