Use cases
This chapter presents a series of use cases to demonstrate how the IBM Spectrum Virtualize appliance facilitates multi-tenancy. It includes the following topics:
4.1 Provisioning storage on a Spectrum Virtualize dedicated to an OCP environment
In this use case, the storage infrastructure is dedicated to OCP. The platform serves different customers or projects. In this example, it is safe to consider the OCP administrator as a Spectrum Virtualize administrator and that the Object-Based Access Control is not mandatory.
As a Spectrum Virtualize administrator, the OCP administrator can perform the following tasks:
•Create child pools and increase their size.
•Use a Data Reduction Pool (DRP) to create storage classes, and, thus, offer deduplicated volumes.
•Set throttling limits on pools, volumes, hosts, and so on.
•Create volume snapshots.
4.2 Provisioning storage on a Spectrum Virtualize shared with other applications
In this example, the storage infrastructure is shared with other workloads (SAP, Oracle, and so on). A subset of the storage array is dedicated to OCP workloads. Depending on how security is organized, the OCP administrator (and the IBM Block CSI driver) might not have full administrator privileges on the storage array.
With Spectrum Virtualize, you use the Object-based Access Control and create a limited administrator for the OCP environment, as described in Chapter 2, “Limiting storage resources with IBM Spectrum Virtualize” on page 7.
With this logic, storage tenants must be created in advance by the administrator and then delegated to the limited administrator, which is provided to the OCP administrator.
This limited administrator can perform the following tasks:
•Provision and use dynamically storage in the delegated pools.
•Create volumes snapshots.
This limited administrator must refer to the Spectrum Virtualize administrator to perform the following tasks:
•Create child pools for more storage classes.
•Increase the size of an added child.
•Set throttling limits.
This limited administrator cannot use DRPs, and, thus, offer deduplicated volumes.
4.3 Sharing storage classes across different customers with usage limits per project
In this use case, the OCP infrastructure features two storage classes: v7k-gold and v7k-silver. Kubernetes resource quotas are defined for each project, which setting limits (global and at the storage class level). We want to allow the projects’ users to provision 10 Gi of gold storage and 20 Gi of silver storage, with a total maximum 25 Gi.
We define a resource quota that is to be applied to each customers’ project, as shown in the following example:
$ cat quota-storage-consumption.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: storage-consumption
spec:
hard:
requests.storage: "25Gi"
v7k-gold.storageclass.storage.k8s.io/requests.storage: "10Gi"
v7k-silver.storageclass.storage.k8s.io/requests.storage: "20Gi"
$ oc apply -f quota-storage-consumption.yaml -n project1
$ oc apply -f quota-storage-consumption.yaml -n project2
$ oc apply -f quota-storage-consumption.yaml -n project3
$
We can apply different resource quota with different values to each project. We can also apply default quota, as described in “Creating a custom project template enforcing resource quotas” on page 24.
4.4 Limiting storage usage per project’s owner
In this use case, the OCP infrastructure features two storage classes: v7k-gold and v7k-silver. We do not want to limit storage usage per project, but per user. Although limiting per user is not possible, we can set a quota to a group of projects based on their requester.
We want to define a quota of 100 Gi of gold storage, 200 Gi of silver storage, with a total maximum capacity 250 Gi and a maximum of 100 of PVCs that are shared by all of Customer1’s projects.
We define a cluster resource quota applied to projects whose owner is Customer1, as shown in Example 4-1.
Example 4-1 Defining a cluster resource quota
$ cat quota-storage-consumption-for-user-customer1.yaml
apiVersion: v1
kind: ClusterResourceQuota
metadata:
name: storage-consumption-for-customer1
spec:
quota:
hard:
requests.storage: "250Gi"
v7k-gold.storageclass.storage.k8s.io/persistentvolumeclaims: "100"
v7k-gold.storageclass.storage.k8s.io/requests.storage: "100Gi"
v7k-silver.storageclass.storage.k8s.io/requests.storage: "200Gi"
selector:
annotations:
openshift.io/requester: "customer1"
$ oc apply -f quota-storage-consumption-for-user-customer1.yaml
$
This quota is automatically applied to each project that is created by Customer1. It is also possible to create project-specific resource quota. In this case, the lower limits apply.
4.5 Dedicating a storage class to a specific customer’s project
In this use case, the OCP infrastructure features two storage classes: v7k-gold and v7k-silver. We want to dedicate a new storage class, with its own capacity (100 Gi) and specificities to our customer Customer1 for his project the-project. Customer1 cannot use any other storage classes.
The OCP project (the-project) exists with a default quota storage-consumption-the-project, as defined in “Creating a custom project template enforcing resource quotas” on page 24.
The first step is to create a dedicated pool for the customer project. Eventually, some throttling limits must be set. As shown in Figure 4-1, the pool named OCP_Customer1_project1 is a child pool that is delegated to the OCP tenant.
Figure 4-1 Creating a child pool
|
Note: If Object-based Access Control is used, this pool is a child pool, and the OCP administrator must request its creation.
|
A storage class must be created that targets this new pool and specifies the space efficiency option, as shown in Example 4-2.
Example 4-2 Creating the storage class
$ cat sc-customer1-theproject.yml
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: v7k-customer1-theproject
namespace: ibm-block-csi
provisioner: block.csi.ibm.com
parameters:
pool: OCP_Customer1_TheProject
csi.storage.k8s.io/provisioner-secret-name: v7k-secret
csi.storage.k8s.io/provisioner-secret-namespace: ibm-block-csi
csi.storage.k8s.io/controller-publish-secret-name: v7k-secret
csi.storage.k8s.io/controller-publish-secret-namespace: ibm-block-csi
csi.storage.k8s.io/fstype: ext4
$ oc apply -f sc-customer1-theproject.yml
storageclass.storage.k8s.io/v7k-customer1-theproject created
$
We now need to edit the quota (or create a quota because no quota exists) to allow only the use of the storage class v7k-customer1-theproject.
Because we cannot allow a specific storage class, we forbid the use of all other storage classes, setting their limits to 0. We specifically forbid the project to use the class v7k-gold and v7k-silver, as shown in Example 4-3.
Example 4-3 Editing the quota to forbid the use of some storage classes
$ oc edit resourcequotas -o yaml storage-consumption-the-project
apiVersion: v1
kind: ResourceQuota
metadata:
creationTimestamp: "2020-08-25T13:16:49Z"
name: storage-consumption-the-project
namespace: the-project
resourceVersion: "62544742"
selfLink: /api/v1/namespaces/the-project/resourcequotas/storage-consumption-the-project
uid: 3ae58063-b1ff-458c-901a-7a2641a6abea
spec:
hard:
v7k-gold.storageclass.storage.k8s.io/persistentvolumeclaims: "0"
v7k-gold.storageclass.storage.k8s.io/requests.storage: "0"
v7k-silver.storageclass.storage.k8s.io/persistentvolumeclaims: "0"
v7k-silver.storageclass.storage.k8s.io/requests.storage: "0"
status:
...
$
The project’s users can use only the remaining “non-forbidden” storage class, which is v7k-customer1-theproject.
|
Important: If you add storage classes, do not forget to add them to the project’s quota or the project’s users cannot freely use them.
|
4.6 Dedicating a storage class to be shared among all the customer’s projects
In this use case, the OCP infrastructure features two classes: v7k-gold and v7k-silver. We want to dedicate a new storage class, with its own capacity (500 Gi) and specifications, to Customer1. This storage class is shared among all his projects. Customer1 cannot use any other storage classes.
The first step is to create a dedicated pool for the customer. Eventually, some throttling limits are set. In this example, this pool is named OCP_Customer1. It is a child pool that is delegated to the OCP tenant (see Figure 4-2).
Figure 4-2 Creating a child pool for PoolOnPrem
|
Note: If Object-based Access Control is used, this pool is a child pool, and the OCP administrator must request that is be created.
|
We now create a cluster resource quota and apply it to all the projects that belong to Customer1. Because we cannot allow a specific storage class, we forbid the use of all the others, setting their limits to 0. In our example, we specifically forbid the project to use the class v7k-gold and v7k-silveras, shown in Example 4-4.
Example 4-4 Creating and applying a resource quota cluster
$ cat quota-storage-consumption-for-user-customer1.yaml
apiVersion: v1
kind: ClusterResourceQuota
metadata:
name: storage-consumption-for-customer1
spec:
quota:
hard:
v7k-gold.storageclass.storage.k8s.io/persistentvolumeclaims: "0"
v7k-gold.storageclass.storage.k8s.io/requests.storage: "0"
v7k-silver.storageclass.storage.k8s.io/persistentvolumeclaims: "0"
v7k-silver.storageclass.storage.k8s.io/requests.storage: "0"
selector:
annotations:
openshift.io/requester: "customer1"
$ oc apply -f quota-storage-consumption-for-user-customer1.yaml
clusterresourcequota.quota.openshift.io/storage-consumption-for-customer1 created
$
|
Important: Be aware of the following situations:
•If you later add storage classes, do not forget to add them to the project’s quota or the project’s users cannot freely use them.
•If Customer1’s projects include defined resource quotas (for example, by a default project template), the lower limits apply. You might want to delete the resource quotas if they are irrelevant.
|
4.7 Conclusion
In this publication, you saw that it is possible to restrict storage usage in a Red Hat OpenShift Container Platform by using resource quotas to avoid a user over-using storage.
You also saw that, because of IBM Spectrum Virtualize and the Object-Based Access Control, you can implement multi-tenancy to secure storage usage. Combining these features, you can secure the storage usage from the OpenShift user to the IBM Spectrum Virtualize array.
This document provides examples of cases where such control is useful; however, more use-cases might exist where these techniques and features can help to provide billing data.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.