search

liqotech / liqo

Enable dynamic and seamless Kubernetes multi-cluster topologies
https://liqo.io
Apache License 2.0
1.09k stars 103 forks source link

[Feature] New Authentication Module #2382

Open aleoli opened 6 months ago

aleoli commented 6 months ago

Authentication Module

This feature proposes a new authentication module, replacing the current one, in order to simplify its operations (e.g., by limiting cross-cluster interactions, such as request/offers) and bringing in more modularity (e.g., declarative operations). It is based on the concept of Identity and Tenant resources, which are used to authenticate and authorize the communication between two clusters: the provider (the cluster that provides resources) and the consumer (the cluster that consumes resources).

Design Goals

New Resources

Identity

The Identity resource is the owner of a Kubeconfig secret, that can be used both by Liqo controllers and by the user to access the provider cluster.

They can be of two kinds: Control Plane or Resource; with different permissions and purposes.

Only one Identity resource of kind Control Plane can be created for each provider cluster. Multiple Identity resources of kind Resource can be created for each provider cluster.

Spec

Field Description Optional
ClusterID The ID of the cluster the identity is targeting to
API Server The API Server address of the cluster the identity is targeting to
CA The CA of the cluster the identity is targeting to
SignedCertificate The signed certificate for this identity
Type The type for this identity (one of ControlPlane or Resource)

Status

Field Description Optional
SecretRef The reference to the secret containing the Kubeconfig created for this identity

ResourceSlice

The ResourceSlice resource is used to request resources from a provider cluster and map how much of them are provided.

There could be multiple ResourceSlice resources for each provider cluster, each one with a different amount of resources requested.

For each ResourceSlice resource, a new Identity resource is created, and the Kubeconfig secret ref is stored in the Status of the ResourceSlice resource.

ResourceSlices can have different classes, to allow the provider cluster to have different policies for different resources. By default, the provider Liqo controllers will accept all the ResourceSlice resources allowing the usage of all the requested resources.

Spec

Field Description Optional
Resources The amount of resources requested to the provider cluster v
Class The class for this slice, similar to ingress classes
ClusterID The ID of the consumer cluster

Status

Field Description Optional
State The state for this slice (one of Accepted or Denied)
Resources The amount of resources provided by the provider cluster
AuthParams The parameters required to fill an identity spec

Tenant

The Tenant resource maps the consumer cluster in the provider cluster, and it is the owner of a tenant namespace.

Only one Tenant resource can be created for each consumer cluster.

Spec

Field Description Optional
ClusterID The ID of the cluster the tenant is referring to
PublicKey The public key of the cluster the identity is referring to
CSR The CSR of the cluster the identity is referring to
Signature The signature proving the identity of the consumer cluster

Status

Field Description Optional
TenantNamespace The name of the controlled tenant namespace
AuthParams The parameters required to fill an identity spec

Workflow

Control Plane

The Control Plane is the first step of the authentication process, and it is used to authenticate the consumer cluster to the provider cluster and to provide the consumer cluster with a Kubeconfig to manage Liqo control plane resources and to check the health of the provider cluster.

In the schema, dashed arrows represent manual actions where the user (or software acting for him) needs to move data between the two clusters. In that way, no automatic action is performed between clusters by Liqo components, leading to full declarativity.

Interactions

The schema shows the lowest level interaction required to set up this step by using liqoctl. Those steps can be wrapped by another liqoctl command, in which the user is the owner of both clusters, and they are reachable at the same time from the same machine.

Untitled-2024-02-16-1706

Resource Acquisition

Resource Acquisition is the second step of the authentication process, and it is used to authenticate the consumer cluster to the provider cluster and to provide the consumer cluster with a Kubeconfig to manage the computing resources requested and scheduled to the provider cluster.

In the schema, red arrows represent resources replicated by the Liqo CRD Replicator; no manual action is required.

Interactions

The schema shows the lowest level interaction required to set up this step by using liqoctl. The only step is creating the ResoruceSlice resource; then, everything is handled by the CRD replicator.

The creation of the related VirtualNode may be automatized by setting an annotation over the ResourceSlice.

Untitled-2024-02-16-1706_2

tiwatsuka commented 3 months ago

@aleoli I'm interested in the feature discussed #1768 and here. Would this improvement solve #1494? For example, if a foreign cluster could be devided into some virtual nodes by the labels of actual nodes, we can offload pods to nodes with specific labels by setting NodeSelector or NodeAffinity.

aleoli commented 3 months ago

Hi @tiwatsuka! Yes, this, in combination with a custom offloading patch for each virtual node, could solve this issue

tiwatsuka commented 3 months ago

Thank you @aleoli. That sounds great! Could I ask you when is the feature released?

aleoli commented 3 months ago

It should be released in the next weeks as a release candidate for testing and a release at the end of July