Tenancy in AKO

Overview

Tenancy support in AKO allows AKO to map each Kubernetes / OpenShift cluster uniquely to a tenant in Avi. The field ControllerSettings.tenantsPerCluster needs to be set to true to enable this feature.

Enabling Tenancy in AKO

To enable Tenancy in AKO, follow the steps below:

  1. Create a Tenant
  2. Create the Required Roles
  3. Assign Tenants and Roles to Users

Creating a Tenant

Assume that the Avi Controller admin creates a tenant billing.

To create a separate tenant for each cluster in Avi,

  1. From the Avi UI, navigate to Administration > Accounts > Tenants.

  2. Click on Create.

  3. Enter the Name as billing.

    The New Tenant screen is as shown below:

    tenancy

  4. Click on Save.

Creating Roles

Create the required roles with appropriate privileges to the ako user in the admin and the billing tenants. This can be created by POST to /api/role.

  1. Create the role ako-admin.

  2. Create the role ako-tenant.

  3. Navigate to Administration > Accounts > Roles.

    The roles created are displayed as shown below: roles

Assigning Tenants

Create users and assign tenants as required.

To create users,

  1. Navigate to Administration > Accounts > Users.

  2. Click on Create.

  3. Enter the User Information as required.

  4. In the Tenant & Role section, select the Tenant and the Role.

  5. Click on Add Tenant to add another Tenant and the Role.

  6. Select the Default Tenant.

    roles

  7. Click on Save.

In AKO, configure the following

  • ControllerSettings.tenantsPerCluster to True and ControllerSettings.tenantName to the tenant created above.
  • avicredentials.username and avicredentials.password to the user credentials created above.

Note: In the NodePort mode of AKO (when L7Settings.serviceType is set to NodePort), VRFContext permissions are not required in the admin tenant in the Avi Controller.

Document Revision History

Date Change Summary
December 18, 2020 Published the article for Tenancy support in AKO