Configuring multitenancy

To configure multitenancy for the compute cluster, you need to create domains and projects, define their quotas, and assign users to them.

Limitations

You can set domain and project quotas only after deploying the compute cluster.
You cannot configure domain quotas for floating IP addresses, VPN connections, load balancers, Kubernetes clusters, and placements.

Prerequisites

A clear understanding of the concept Multitenancy.
As quotas can exceed the existing virtual resources and virtual resources are not reserved for each project, the compute cluster must have enough virtual resources for all projects in all domains.

To create a domain

Admin panel

On the Settings > Projects and users screen, click Create domain.
In the Create domain window, specify the domain name and, optionally, description.

A description should not contain any personally identifiable information or sensitive business data.
Define quotas for virtual resources that will be available inside the domain. To specify a certain value for a resource, clear the Unlimited check box next to it first.

You can only configure domain quotas for vCPUs, RAM, and storage space.
Click Create.

Command-line interface

Use the following command:

vinfra domain create [--description <description>] [--enable | --disable] <name>

--description <description>: Domain description

A description should not contain any personally identifiable information or sensitive business data.
--enable: Enable domain
--disable: Disable domain
<name>: Domain name

For example, to create the domain mydomain, run:

# vinfra domain create mydomain

The created domain will appear in the vinfra domain list output:

# vinfra domain list
+--------------+----------+---------+--------------------+
| id           | name     | enabled | description        |
+--------------+----------+---------+--------------------+
| default      | Default  | True    | The default domain |
| 24986479e<…> | mydomain | True    |                    |
+--------------+----------+---------+--------------------+

To create a project

Admin panel

On the Settings > Projects and users screen, click a domain within which the project will be created.
On the Projects tab, click Create project.
In the Create project window, specify the project name and, optionally, description. The project name must be unique within a domain.

A description should not contain any personally identifiable information or sensitive business data.
Clear the Enabled check box to disable the created project.
Define quotas for virtual resources that will be available inside the project. To specify a certain value for a resource, clear the Unlimited check box next to it first.

The default storage policy must be shared with projects that will use the Kubernetes-as-a-service feature.
Click Create.

Command-line interface

Use the following command:

vinfra domain project create [--description <description>] [--enable | --disable]
                             --domain <domain> <name>

--description <description>: Project description

A description should not contain any personally identifiable information or sensitive business data.
--enable: Enable project
--disable: Disable project
--domain <domain>: Domain name or ID
<name>: Project name

For example, to create the project myproject within the domain mydomain and add a description to it, run:

# vinfra domain project create myproject --domain mydomain --description "A custom project"

The created project will appear in the vinfra domain project list output:

# vinfra domain project list --domain mydomain
+-------------+-----------+---------+------------------+--------------+
| id          | name      | enabled | description      | domain_id    |
+-------------+-----------+---------+------------------+--------------+
| 79830e3c<…> | myproject | True    | A custom project | 24986479e<…> |
+-------------+-----------+---------+------------------+--------------+

To create a self-service user

Admin panel

On the Settings > Projects and users screen, click a domain within which the user will be created.
Go to the Domain users tab, and then click Create user.
In the Create user window, specify the user name, password, and, if required, a user email address and description. The user name must be unique within a domain.

A description should not contain any personally identifiable information or sensitive business data.
Select the user role:
- To create a domain administrator
  1. Select the Domain administrator role.
  2. Enable Image uploading to allow the user to upload images and configure this permission for other domain users.
  3. Enable Project and quota management to allow the user to manage projects and quotas, as well as configure this permission for other domain administrators.
- To create a project administrator
  1. Select the Project member role.
  2. Enable Image uploading to allow the user to upload images.
  3. Click Manage in the Projects section and select a project to assign the user to. Then, click Save.
Click Create.

Command-line interface

Use the following command:

vinfra domain user create [--email <email>] [--description <description>]
                          [--assign <project> <role>] [--assign-domain <domain> <roles>]
                          [--domain-permissions <domain_permissions>]
                          [--enable | --disable] --domain <domain> <name>

--email <email>

User email

--description <description>

User description

A description should not contain any personally identifiable information or sensitive business data.

--assign <project> <role>

Assign a user to a project with one or more permission sets. Specify this option multiple times to assign the user to multiple projects.

<project>: project ID or name
<role>: user role in the project (project_admin)

--assign-domain <domain> <roles>

Assign a user to a domain with one or more permission sets. Specify this option multiple times to assign the user to multiple domains. This option is only valid for service accounts.

<domain>: domain ID or name
<roles>: a comma-separated list of service account roles (compute)

--domain-permissions <domain_permissions>

A comma-separated list of domain permissions. View the list of available domain permissions using vinfra domain user list-available-roles | grep domain.

--enable

Enable user

--disable

Disable user

--domain <domain>

Domain name or ID

<name>

User name

Example 1. To create a domain administrator account called myadmin within the domain mydomain and grant this user the permission to manage projects and their quotas, run:

# vinfra domain user create myadmin --domain mydomain --domain-permissions domain_admin,quota_manager

Specify the user password when prompted.

Example 2. To create the project member myuser for the project myproject within the domain mydomain and grant this user the permission to upload images, run:

# vinfra domain user create myuser --domain mydomain --assign myproject project_admin --domain-permissions image_upload

Specify the user password when prompted.

The created users will appear in the vinfra domain user list output:

# vinfra domain user list --domain mydomain
+-------------+---------+-------+---------+-------------+--------------------+---------------------------+
| id          | name    | email | enabled | description | domain_permissions | assigned_projects         |
+-------------+---------+-------+---------+-------------+--------------------+---------------------------+
| 28aa0207<…> | myadmin |       | True    |             | - domain_admin     | []                        |
|             |         |       |         |             | - quota_manager    |                           |
| fb9fa0b2<…> | myuser  |       | True    |             | - image_upload     | - project_id: 79830e3c<…> |
|             |         |       |         |             |                    |   role: project_admin     |
+-------------+---------+-------+---------+-------------+--------------------+---------------------------+