Does OpenShift support true multi-tenancy by segregating containers on host-level?

3/30/2016

It took me a while to kinda understand what OpenShift is and what it does (additionally to Kubernetes itself).

My question refers to the current release of OpenShift Origin 1.1 (OpenShift 3.1).

  • Does OpenShift support true multi-tenancy by running containers from separate tenants on dedicated hosts?

Without going too much into detail, it should be common knowledge (if you're familiarized with Docker/Container security issues), that you can protect tenants from each other against container breakouts or other exploits only by doing container segregation on a host level.

(I strongly recommend this ebook on Docker Security).

The documentation of OpenShift only describes the concept of projects and users and the Kubernetes docs only state the concept of namespaces for scoping certain ressources.

Thanks for any insights on this or your thoughts on this, if you have experience with running OpenShift as a multi-tenant Container/PaaS platform for developers or customers.

-- DW.futuretec
containers
docker
kubernetes
openshift
security

1 Answer

7/14/2016

Yes, you can keep containers separated from each other by running them on different hosts.

The way this is done is by configuring scheduler policies. The scheduler is not a "time scheduler", but a resource scheduler that will determine where to run pods.

Running pods (set of 1 or more containers) on different nodes can specifically be configured by using anti-affinity rules.

See https://docs.openshift.com/enterprise/3.0/admin_guide/scheduler.html in general, and https://docs.openshift.com/enterprise/3.0/admin_guide/scheduler.html#affinity specifically to get more details on how to setup this configuration.

The documentation over at https://github.com/kubernetes/kubernetes/blob/master/docs/design/podaffinity.md also provides insight into this.

-- Ludovic Aelbrecht
Source: StackOverflow