Multitenancy support
IBM Cloud Pak® for Data supports different installation and deployment mechanisms for achieving multitenancy.
According to Gartner, multitenancy is:
Multitenancy is a reference to the mode of operation of software where multiple independent instances of one or multiple applications operate in a shared environment. The instances (tenants) are logically isolated, but physically integrated. The degree of logical isolation must be complete, but the degree of physical integration will vary.
Achieving multitenancy with multiple instances of Cloud Pak for Data (recommended)
You can install the Cloud Pak for Data control plane multiple times on the same cluster by installing each instance of the control plane in a separate project (Kubernetes namespace).
- IBM Cloud Pak foundational services Certificate manager
- IBM Cloud Pak foundational services License Service
- Cloud Pak for Data Scheduling service
Each instance of Cloud Pak for Data has its own operators project and operands project. This installation architecture offers complete logical isolation of each instance of Cloud Pak for Data with limited physical integration between the instances.
When you set up your cluster, a Red Hat® OpenShift® Container Platform cluster administrator can create multiple projects to partition your cluster. Within each project, you can assign resource quotas. Each project acts as a virtual cluster with its own security and network policies.
In addition to being logically separated, you can use different authentication mechanisms for each instance of Cloud Pak for Data.
- Partitioning your non-production environment from your production environment in a continuous integration, continuous delivery (CICD) pipeline. In this model, tenants work in discrete, isolated units with a clear separation of duties.
- Creating instances for different departments or business units that have distinct roles and responsibilities within your enterprise. In this model, each tenant has their own authentication mechanism, resource quotas, and assets.
- You can minimize your overhead costs by deploying multiple instances on the same cluster.
- The cluster administrator can establish tenant-specific quality of service characteristics in each instance.
- The cluster administrator can assign instance administrators to manage a given instance of
Cloud Pak for Data
The instance administrator can control which services are deployed in the project and can manage the resources that are associated with the project. However, the project administrator does not have access to cluster-level settings and cannot change the resource quotas for their project.
- Related references
-
- For information about projects, see Supported project (namespace) configurations.
Achieving multitenancy within a single instance of Cloud Pak for Data
You can install a single instance of Cloud Pak for Data on your Red Hat OpenShift cluster. The instance uses a single authentication mechanism for all users, and each user is assigned to the appropriate role within the instance.
- Projects (collaborative workspaces)
- Users must be explicitly added as collaborators to access the contents of a project. In this way, you can enforce logical isolation between projects. For example, you can create analytics projects to support specific teams or departments within your organization.
- Deployment spaces
- Users must be explicitly added as collaborators to access the contents of an analytics deployment space. In this way, you can enforce logical isolation between deployment spaces.
- Service instances
- Some services, such as integrated databases, can be deployed multiple times within a single
deployment of Cloud Pak for Data. These deployments are
called service instances. Users must be given explicit access to a service instance to
interact with it. In this way, you can enforce logical isolation between service instances.
For an additional layer of isolation, service instances can be deployed to separate projects, called tethered projects.
Some services do not support service instances. The resources that are associated with those services are available to any users who have access to the service. And sometimes, all of the users who have access to the instance of Cloud Pak for Data have access to the service. However, some services can deploy workloads into tethered projects, which allow you to isolate tenant workloads and establish tenant-level resource quotas.
This configuration is physically integrated but does not support complete logical isolation.
Multitenancy for services
- Installing a service one time in each project where the control plane is installed. (This is the most common method for achieving multitenancy.)
- Installing a service one time in the same project as the control plane and provisioning multiple instances of the service in that project.
- Installing a service one time in the same project as the control plane and provisioning multiple instances of the service in tethered projects.
- Installing a service one time in the same project as the control plane and provisioning workloads in tethered projects.
In the following table, an asterisk (*) indicates that the service supports multiple instances that use the same pool of resources.
| Service | 1. Install the service in separate projects | 2. Install the service once and deploy multiple instances in the same project | 3. Install the service once and provision multiple instances in tethered projects | 4. Install the service once and provision workloads in tethered projects |
|---|---|---|---|---|
| AI Factsheets | Yes | No | No | No |
| Analytics Engine powered by Apache Spark | Yes | Yes* | No | No |
| Cognos® Analytics | Yes | No. One instance only. | Yes. One instance in each tethered project. | Yes |
| Cognos Dashboards | Yes | No | No | No |
| Data Privacy | Yes | No | No | No |
| Data Refinery | Yes | No | No | No |
| Data Replication | No | No. One instance only. | No | No |
| DataStage® | Yes | No | No | No |
| Db2® | Yes | Yes | No | No |
| Db2 Big SQL | Yes | Yes | No | No |
| Db2 Data Gate | Yes | Yes | No | No |
| Db2 Data Management Console | Yes | No. One instance only. | No | No |
| Db2 Warehouse | Yes | Yes | No | No |
| Service | 1. Install the service in separate projects | 2. Install the service once and deploy multiple instances in the same project | 3. Install the service once and provision multiple instances in tethered projects | 4. Install the service once and provision workloads in tethered projects |
| Decision Optimization | Yes | No | No | No |
| EDB Postgres | Yes | Yes | No | No |
| Execution Engine for Apache Hadoop | Yes | No | No | No |
| IBM® Match 360 with Watson™ | Yes | No | No | No |
| Informix® | Yes | Yes | No | No |
| MANTA Automated Data Lineage | Yes | No | No | No |
| OpenPages® | Yes | Yes | Yes | No |
| Planning Analytics | Yes | No. One instance only. | Yes. One instance in each tethered project. | No |
| Product Master | Yes | No | No | No |
| RStudio® Server Runtimes | Yes | No | No | No |
| SPSS® Modeler | Yes | No | No | No |
| Voice Gateway | Yes | Not applicable | No | No |
| Service | 1. Install the service in separate projects | 2. Install the service once and deploy multiple instances in the same project | 3. Install the service once and provision multiple instances in tethered projects | 4. Install the service once and provision workloads in tethered projects |
| Watson Assistant | Yes | Yes* | No | No |
| Watson Discovery | Yes | Yes* | No | No |
| Watson Knowledge Catalog | Yes | No | No | No |
| Watson Knowledge Studio | Yes | Yes, up to 30 instances.* | No | No |
| Watson Machine Learning | Yes | No | No | No |
| Watson Machine Learning Accelerator | Yes | No. One instance only. | No | No |
| Watson OpenScale | Yes | Yes | No | No |
| Watson Pipelines | Yes | No | No | No |
| Watson Query | Yes | No. One instance only. | Yes. One instance in each tethered project. | No |
| Watson Speech services | Yes | Yes* | No | No |
| Watson Studio | Yes | No | No | No |
| Watson Studio Runtimes | Yes | No | No | No |
| Watson Studio Runtimes | Yes | No | No | No |
| watsonx.data | Yes | No | No | No |