Skip to main content
Version: main

CAPI Provider Identities

Multi-tenancy#

Some Cluster API providers allow you to choose the account or identity that the new cluster will be created with. This is often referred to as Multi-tenancy in the CAPI world. MCCP currently supports:

Identities and templates#

Our templates describe the properties of the cluster, how many nodes, what version of Kubernetes etc, while the identity is which account will be used to create the cluster. So given in our cluster we have the template:

apiVersion: capi.weave.works/v1alpha1
kind: CAPITemplate
metadata:
name: capa-cluster-template
spec:
resourcetemplates:
- apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
kind: AWSCluster
metadata:
name: '${CLUSTER_NAME}'
spec:
region: '${AWS_REGION}'

and the identity

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
kind: AWSClusterStaticIdentity
metadata:
name: 'test-account'
spec:
secretRef:
name: test-account-creds
namespace: capa-system
allowedNamespaces:
selector:
matchLabels:
cluster.x-k8s.io/ns: 'testlabel'

We can select ask the MCCP to use the test-account when creating the cluster by using the Infrastructure provider credentials dropdown on the Create new cluster with template page:

Identity Selection

The resulting definition will have the identity injected into the appropriate place in the template, for this example:

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
kind: AWSCluster
metadata:
name: example-cluster
spec:
region: eu-north-1
identityRef:
kind: AWSClusterStaticIdentity
name: test-account

identityRefs#

The supported providers implement multi-tenancy by setting an identityRef on the the provider cluster object, e.g. AWSCluster, AzureCluster or VSphereCluster.

The MCCP will search all namespaces in the cluster for potential identities that can be used to create a cluster. The following identity kinds are currently supported and their corresponding Cluster kinds:

  • AWSClusterStaticIdentity: AWSCluster
  • AWSClusterRoleIdentity: AWSCluster
  • AzureClusterIdentity: AzureCluster
  • VSphereClusterIdentity: VSphereCluster
Edit this page