Skip to main content

Multitenancy

In Cosmonic Control, multiple tenants in a given environment can be organized to utilize shared application resources across namespaces and hosts. The reusability of capability providers as well as the small size and inherent sandboxing of WebAssembly components make it possible to maximize density while maintaining isolation between namespaces.

Application model

When deploying with Cosmonic Control, applications are comprised of WebAssembly components and capability providers.

  • Components are sandboxed, platform-agnostic WebAssembly binaries that handle the bespoke logic for a given application and can interoperate with other components as well as providers.
  • Providers deliver common capabilities such as HTTP service or key-value storage and may optionally serve as shared resources, providing functionality to many different components for many different applications.

Multitenancy model

Cosmonic Control uses the following tenancy primitives:

  • Namespaces are groups of resources that are isolated from resources in other namespaces by default. Namespaces may be used to scope tenants such as organizations or projects.
  • Hosts are WebAssembly runtime environments that may span multiple namespaces while maintaining the security boundaries of those namespaces. The different parts of an application may be spread across multiple hosts.

If explicitly permitted, components may dynamically link to other components on any host so long as they reside in a shared or same namespace.

Providers may reside in a shared namespace, enabling them to link to components for multiple applications and in multiple namespaces, so long as they are explicitly permitted. Providers may also reside in isolated namespaces where they may only link to components in the same namespace.

Architecture diagram

diagram

In the diagram above:

  • Three components making up an application are running in the App namespace. The components are spread across three hosts.
    • Components are defined using the Component CRD.
  • The application utilizes an HTTP Server provider that resides in the Shared namespace and on Host 2.
    • This provider does not handle sensitive data and can be shared freely.
    • Providers are defined using the Provider CRD.
  • In the Org A and Org B namespaces, isolated, namespace-scoped components and providers handle each organization's data. The Postgres and S3 providers mediate between the components and the organizations' respective data stores.
    • Org A Storage and Org B Storage both reside on Host 1 (along with a Middleware component in the Application namespace), but remain effectively isolated in separate namespaces due to the built-in sandboxing of WebAssembly components.
  • Components and providers can communicate across hosts because they belong to a Host Group, defined by the Host Group CRD.
  • The Cosmonic control plane runs in the Cosmonic namespace.