Slide 1 - Cluster Kubernetes RKE2 con Capsule, Ceph e OIDC – Progetto ICSC
Cluster Kubernetes RKE2 con Capsule, Ceph e OIDC – Progetto ICSC
Implementazione HA, multi-tenancy e autenticazione IAM INFN

Generated from prompt:
Presentazione tecnica aggiornata – Cluster Kubernetes RKE2 con Capsule, Ceph e OIDC (ICSC) **Slide 1 – Titolo** Cluster Kubernetes RKE2 con Capsule, Ceph e OIDC – Progetto ICSC Implementazione HA, multi-tenancy e autenticazione IAM INFN [Loghi: Kubernetes, Capsule, Ceph, INFN IAM] **Slide 2 – Architettura del Cluster** - 3 nodi controller (VM su Proxmox VE) - 4 nodi worker bare metal - Installazione RKE2 tramite modulo Puppet del backbone INFN 🧩 Schema architettura: controller in HA, worker, Puppet e Proxmox **Slide 3 – Storage (Ceph)** - Storage Ceph in produzione (Tier-2 Roma) - StorageClass: `ceph-rbd-csi` - Provisioning dinamico con CSI plugin ```yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: pvc-ceph spec: storageClassName: ceph-rbd-csi accessModes: - ReadWriteOnce resources: requests: storage: 10Gi ``` [Logo Ceph] **Slide 4 – Capsule: Multi-Tenancy e Tenant** Capsule introduce un livello di multi-tenancy in Kubernetes, isolando gruppi di utenti in *tenant*, ciascuno con propri namespace, policy e risorse. Gestisce autorizzazioni basate su gruppi IAM e migliora la sicurezza tra team. ```yaml apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: tenant-test spec: owners: - kind: Group name: users ``` [Schema concettuale: utenti IAM → Capsule → Tenant → Namespace] **Slide 5 – OIDC Authentication & Authorization** Workflow di autenticazione e autorizzazione tramite token OIDC: 1. Configurazione OIDC su API Server 2. Creazione utente OIDC e generazione token 3. Accesso al cluster con token ```bash # Generazione token OIDC oidc-gen <username> --iss https://iam.cloud.infn.it -w device oidc-token --aud icsc-k8s-roma1 <username> # Accesso al cluster kubectl --token=$token get pods ``` [Diagramma: IAM → Token → API Server → Capsule] **Slide 6 – Kube-VIP e Alta Affidabilità** - Kube-VIP come DaemonSet su nodi controller per Virtual IP condiviso - Garantisce HA dell’API Server Kubernetes ```bash $KUBE_VIP_CMD manifest daemonset \ --interface eth0 \ --address 192.168.x.x \ --controlplane --services --arp --leaderElection ``` [Logo Kube-VIP + Schema VIP HA] **Slide 7 – Risultati e Test** Cluster completamente operativo e testato: - Creazione e gestione tenants via Capsule - Accesso differenziato utenti IAM - Visibilità limitata alle risorse dei tenant - Failover controller testato con successo ```bash kubectl --token=$token get tenants NAME STATE AGE tenant-test Active 1d ``` **Slide 8 – Conclusioni** ✅ Cluster RKE2 in HA ✅ Storage dinamico Ceph-RBD ✅ Multi-tenancy e OIDC operativi ✅ Infrastruttura scalabile e integrata INFN [Design: scuro, tecnico, con loghi software e stile uniforme]
HA RKE2 Kubernetes cluster on Proxmox/Puppet with 3 controller VMs, 4 bare-metal workers. Features Ceph CSI storage, Capsule multi-tenancy, INFN IAM OIDC auth, Kube-VIP failover. Fully tested & operat
Cluster Kubernetes RKE2 con Capsule, Ceph e OIDC – Progetto ICSC
Implementazione HA, multi-tenancy e autenticazione IAM INFN


Generating slide...
The slide covers production Ceph storage deployed at Tier-2 Roma. It details the ceph-rbd-csi StorageClass, dynamic provisioning via CSI plugin, and a PVC example requesting 10Gi of RBD storage.
Source: Presentazione tecnica aggiornata – Cluster Kubernetes RKE2 con Capsule, Ceph e OIDC (ICSC)

Native Kubernetes provides limited multi-tenancy via Namespaces and RBAC, with manual resource isolation, complex policies, and risks of team/IAM conflicts. Capsule enhances this by isolating tenants with dedicated namespaces, policies, and resources, plus automatic IAM group authorizations for simpler, secure team management.
| Kubernetes Nativo (Senza Capsule) | Kubernetes con Capsule |
|---|---|
| Multi-tenancy limitata a Namespace e RBAC. Isolamento risorse manuale. Policy complesse da gestire. Rischio conflitti tra team e utenti IAM. | Tenant isolati con namespace, policy e risorse dedicate. Autorizzazioni IAM automatiche per gruppi. Sicurezza potenziata e gestione semplificata per team. |
Source: apiVersion: capsule.clastix.io/v1beta2 kind: Tenant ... owners: users [Schema: IAM → Capsule → Tenant → Namespace]

This slide presents a four-step workflow for OIDC authentication and authorization in an RKE2 Kubernetes cluster. It covers configuring the OIDC provider on the API server, generating user OIDC config, obtaining a short-lived token, and accessing resources via kubectl with Capsule.
{ "headers": [ "Step", "Description", "Command" ], "rows": [ [ "1. Configure OIDC", "Configure OIDC provider on RKE2 API Server", "Set API Server flags: --oidc-issuer-url=https://iam.cloud.infn.it --oidc-client-id=icsc-k8s-roma1 etc." ], [ "2. Generate OIDC Config", "Create OIDC configuration for user", "oidc-gen <user> --iss https://iam.cloud.infn.it" ], [ "3. Obtain Token", "Generate short-lived token for cluster audience", "oidc-token --aud icsc-k8s-roma1 <user>" ], [ "4. Access Cluster", "Authenticate to cluster and access resources (via Capsule)", "kubectl --token=$token get pods" ] ] }
Source: Cluster Kubernetes RKE2 con Capsule, Ceph e OIDC (ICSC)

Kube-VIP is deployed as a DaemonSet on controller nodes to provide a shared VIP, ensuring high availability (HA) for the Kubernetes API Server. It uses leader election with ARP and services enabled, via the command $KUBEVIPCMD manifest daemonset --interface eth0 --address 192.168.x.x --controlplane --services --arp --leaderElection.
$KUBEVIPCMD manifest daemonset --interface eth0 --address 192.168.x.x --controlplane --services --arp --leaderElection
The slide "Risultati e Test" highlights 1 tenant capsule managed and active for 1 day. It reports 100% success across differentiated IAM access with proper user isolation, limited visibility to tenant resources only, and tested failover with confirmed HA controller.
Attivi da 1 giorno
Utenti isolati correttamente
Solo risorse tenant
Controller HA confermato Source: Cluster Kubernetes RKE2 ICSC

The conclusion slide lists successfully achieved objectives: a high-availability RKE2 cluster, dynamic Ceph-RBD storage, multi-tenancy with OIDC, and scalable INFN infrastructure. It affirms that the cluster is fully operational and scalable.
✅ Cluster RKE2 HA ✅ Storage Ceph-RBD dinamico ✅ Multi-tenancy e OIDC ✅ Infra scalabile INFN
Cluster operativo e scalabile!
Obiettivi raggiunti con successo.
Source: Progetto ICSC

Explore thousands of AI-generated presentations for inspiration
Generate professional presentations in seconds with Karaf's AI. Customize this presentation or start from scratch.