Tenancy in AKO

Overview

This feature allows AKO to map each kubernetes / OpenShift cluster uniquely to a tenant in Avi. To enable this feature, set the field ControllerSettings.tenantsPerCluster to true.

Tenant Context

Avi non admin tenants primarily operate in 2 modes, provider context and tenant context.

Provider Context

Service Engine Groups are shared with admin tenant. All the other objects like virtual services and pools are created within the tenant.
This requires config_settings.se_in_provider_context flag to be set to True when creating tenant.

Tenant Context

Service Engines are isolated from admin tenant. A new Default group is created within the tenant. All the objects including Service Engines are created in tenant context. Requires config_settings.se_in_provider_context flag to be set to False when creating tenant.

Enabling Tenancy in AKO

To enable Tenancy in AKO, follow the steps below:

  1. Create a Tenant
  2. Create the Required Roles
  3. Assign Tenants and Roles to Users

Creating a Tenant

Assume that the Avi Controller admin creates a tenant billing.

To create a separate tenant for each cluster in Avi,

  1. From the Avi UI, navigate to Administration > Accounts > Tenants.

  2. Click on Create.

  3. Enter the Name as billing.

    The New Tenant screen is as shown below:

    tenancy

  4. Click on Save.

Creating Roles

Create the required roles with appropriate privileges to the ako user in the admin and the billing tenants. This can be created by POST to /api/role.

  1. Create the role ako-admin.

  2. Create the role ako-tenant.

  3. Navigate to Administration > Accounts > Roles.

    The roles created are displayed as shown below: roles

Assigning Tenants

Create users and assign tenants as required.

To create users,

  1. Navigate to Administration > Accounts > Users.

  2. Click on Create.

  3. Enter the User Information as required.

  4. In the Tenant & Role section, select the Tenant and the Role.

  5. Click on Add Tenant to add another Tenant and the Role.

  6. Select the Default Tenant.

    roles

  7. Click on Save.

In AKO, configure the following

  • Set the ControllerSettings.tenantName to the tenant created in the earlier steps.
  • The avicredentials.username and avicredentials.password to the user credentials created above.

Note: In the NodePort mode of AKO (when L7Settings.serviceType is set to NodePort), VRFContext permissions are not required in the admin tenant in the Avi Controller.

Document Revision History

Date Change Summary
December 24, 2021 Updated the article for Tenant Context
December 18, 2020 Published the article for Tenancy support in AKO