RBAC Policies for Multi-Tenant AI Services

Question

Pulumi · Accepted Answer

When you're running a multi-tenant AI service, especially in a Kubernetes environment, Role-Based Access Control (RBAC) is essential for ensuring that users have the appropriate permissions. RBAC allows you to define roles and assign permissions to these roles so that users and services only have access to the resources they need.

In Kubernetes, this is managed through a couple of different resources:

- `ClusterRole` and `Role`: These define a set of permissions for accessing resources. The main difference is that ClusterRole is non-namespaced and can grant access to cluster-scoped resources or across all namespaces, while Role is namespaced and grants access only within a single namespace.
- `ClusterRoleBinding` and `RoleBinding`: These bind the previously defined roles to subjects, which can be users, groups, or service accounts, granting them the permissions described in the role within the scope of the binding (cluster or namespace).

Here's a program, using Pulumi with the Kubernetes provider, that creates a set of RBAC resources for a multi-tenant AI service in Kubernetes. These roles and bindings ensure that different tenants have appropriate access without interfering with each other.

```python
import pulumi
import pulumi_kubernetes as kubernetes

# Create a Role for tenant 'A' - namespace scoped permissions
tenant_a_role = kubernetes.rbac.v1.Role("tenant-a-role",
    metadata=kubernetes.meta.v1.ObjectMetaArgs(
        name="tenant-a-role",
        namespace="tenant-a"  # Assuming a namespace dedicated to tenant A exists
    ),
    rules=[
        kubernetes.rbac.v1.PolicyRuleArgs(
            api_groups=[""],  # "" indicates the core API group
            resources=["pods"],
            verbs=["get", "list", "watch", "create", "update", "patch", "delete"]
        ),
        # Add rules for other resources tenant A's users might need
    ])

# Create a RoleBinding for tenant 'A' to bind the role to a specific user or service account
tenant_a_role_binding = kubernetes.rbac.v1.RoleBinding("tenant-a-role-binding",
    metadata=kubernetes.meta.v1.ObjectMetaArgs(
        name="tenant-a-role-binding",
        namespace="tenant-a"
    ),
    subjects=[kubernetes.rbac.v1.SubjectArgs(
        kind="User",  # Could be User, Group, or ServiceAccount
        name="user@example.com",  # The user's identifier as recognized by Kubernetes
        api_group="rbac.authorization.k8s.io"
    )],
    role_ref=kubernetes.rbac.v1.RoleRefArgs(
        kind="Role",
        name=tenant_a_role.metadata.name,
        api_group="rbac.authorization.k8s.io"
    ))

# Similarly, create Roles and RoleBindings for other tenants
# ...

# pulumi.export("tenant_a_role", tenant_a_role.metadata.name)
# pulumi.export("tenant_a_role_binding", tenant_a_role_binding.metadata.name)
```

This program does the following:

1. Defines a role `tenant-a-role` with permissions for managing pods—a common resource required by AI services.

2. Creates a `RoleBinding` `tenant-a-role-binding` that assigns `tenant-a-role` to user `user@example.com` within the namespace `tenant-a`.

3. Exports the created role and binding names for further reference (commented out for simplicity).

This is a simple RBAC setup for one tenant. You would repeat the process for each tenant in your service, ensuring that their permissions are scoped appropriately either to their namespace or the cluster, depending on your architecture and security requirements.