Multitenancy support

IBM Cloud Pak® for Data supports different installation and deployment mechanisms for achieving multitenancy.

According to Gartner, multitenancy is:

Multitenancy is a reference to the mode of operation of software where multiple independent instances of one or multiple applications operate in a shared environment. The instances (tenants) are logically isolated, but physically integrated. The degree of logical isolation must be complete, but the degree of physical integration will vary.

Achieving multitenancy with multiple instances of Cloud Pak for Data (recommended)

You can install the Cloud Pak for Data control plane multiple times on the same cluster by installing each instance of the control plane in a separate project (Kubernetes namespace).

Note: The following components are installed once on the cluster and shared by any instances of Cloud Pak for Data on the cluster:
  • IBM Cloud Pak foundational services
  • IBM Cloud Pak for Data operators
  • Scheduling service

This installation architecture offers complete logical isolation of each instance of Cloud Pak for Data with limited physical integration between the instances.

When you set up your cluster, a Red Hat® OpenShift® Container Platform cluster administrator can create multiple projects to partition your cluster. Within each project, you can assign resource quotas. Each project acts as a virtual cluster with its own security and network policies. In addition to being logically separated, you can use different authentication mechanisms for each Cloud Pak for Data deployment.

This tenancy model addresses the following use cases:
  • Partitioning your non-production environment from your production environment in a continuous integration, continuous delivery (CICD) pipeline. In this model, tenants work in discrete, isolated units with a clear separation of duties.
  • Creating instances for different departments or business units that have distinct roles and responsibilities within your enterprise. In this model, each tenant has their own authentication mechanism, resource quotas, and assets.
This tenancy model also offers several advantages:
  • You can minimize your overhead costs by deploying multiple instances on the same cluster.
  • The cluster administrator can establish tenant-specific quality of service characteristics in each instance.
  • The cluster administrator can assign project administrators to manage a given instance of Cloud Pak for Data

    The project administrator can control which services are deployed in the project and can manage the resources that are associated with the project. However, the project administrator does not have access to cluster-level settings and cannot change the resource quotas for their project.

Related references

Achieving multitenancy within a single instance of Cloud Pak for Data

You can install a single instance of Cloud Pak for Data on your Red Hat OpenShift cluster. The instance uses a single authentication mechanism for all users, and each user is assigned to the appropriate role within the instance.

In this installation architecture, tenancy occurs at the resource level and users can see only resources that they are given access to. The following types of resources support logical isolation:
Projects (collaborative workspaces)
Users must be explicitly added as collaborators to access the contents of a project. In this way, you can enforce logical isolation between projects. For example, you could create analytics projects to support specific teams or departments within your organization.
Deployment spaces
Users must be explicitly added as collaborators to access the contents of an analytics deployment space. In this way, you can enforce logical isolation between deployment spaces.
Service instances
Some services, such as integrated databases, can be deployed multiple times within a single deployment of Cloud Pak for Data. These deployments are called service instances. Users must be given explicit access to a service instance to interact with it. In this way, you can enforce logical isolation between service instances.

For an additional layer of isolation, service instances can be deployed to separate projects, called tethered projects.

Some services do not support service instances. The resources that are associated with those services are available to any users who have access to the service. And in some cases, all of the users who have access to the instance of Cloud Pak for Data have access to the service. However, some services can deploy workloads into tethered projects, which allow you to isolate tenant workloads and establish tenant-level resource quotas.

This configuration is physically integrated but does not support complete logical isolation.

Multitenancy for services

The Cloud Pak for Data platform supports multiple mechanisms for achieving service multitenancy. However, not all services support the same mechanisms. The platform offers the following mechanisms:
  1. Installing a service one time in each project where the control plane is installed. (This is the most common method for achieving multitenancy.)
  2. Installing a service one time in the same project control plane and provisioning multiple instances of the service in that project.
  3. Installing a service one time in the same project control plane and provisioning multiple instances of the service in tethered projects.
  4. Installing a service one time in the same project as the control plane and provisioning workloads in tethered projects.
Service 1. Install the service in separate projects 2. Install the service once and deploy multiple instances in the same project 3. Install the service once and provision multiple instances in tethered projects 4. Install the service once and provision workloads in tethered projects
AI Factsheets Yes No No No
Analytics Engine Powered by Apache Spark Yes Yes No No
Cognos® Analytics Yes No. One instance only. Yes. One instance in each tethered project. Yes
Cognos Dashboards Yes No No No
Data Privacy Yes No No No
Data Refinery Yes No No No
Data Replication No No. One instance only. No No
DataStage® Yes No No No
Db2® Yes Yes No No
Db2 Big SQL Yes Yes No No
Db2 Data Gate Yes Yes No No
Db2 Data Management Console Yes No. One instance only. No No
Db2 Warehouse Yes Yes No No
Service 1. Install the service in separate projects 2. Install the service once and deploy multiple instances in the same project 3. Install the service once and provision multiple instances in tethered projects 4. Install the service once and provision workloads in tethered projects
Decision Optimization Yes No No No
EDB Postgres Yes Yes No No
Execution Engine for Apache Hadoop Yes No No No
IBM® Match 360 with Watson™ Yes No No No
Informix® Yes Yes No No
MongoDB Yes Yes No No
OpenPages® Yes Yes Yes No
Planning Analytics Yes No. One instance only. Yes. One instance in each tethered project. No
Product Master Yes No No No
RStudio® Server Runtimes Yes No No No
SPSS® Modeler Yes No No No
Voice Gateway Yes Not applicable No No
Service 1. Install the service in separate projects 2. Install the service once and deploy multiple instances in the same project 3. Install the service once and provision multiple instances in tethered projects 4. Install the service once and provision workloads in tethered projects
Watson Assistant Yes Yes No No
Watson Discovery Yes Yes No No
Watson Knowledge Catalog Yes No No No
Watson Knowledge Studio Yes Yes, up to 30 instances. No No
Watson Machine Learning Yes No No No
Watson Machine Learning Accelerator Yes No. One instance only. Yes. One instance in each tethered project. Yes
Watson OpenScale Yes Yes No No
Watson Pipelines Yes for versions 4.6.4 and higher. No No No
Watson Query Yes No. One instance only. No No
Watson Speech services Yes Yes No No
Watson Studio Yes No No No
Watson Studio Runtimes Yes No No No