Skip to main content

Tenants and Projects

PaletteAI uses a hierarchical organizational structure with Tenants and Projects to manage access control and resource organization for ML/AI deployments.

PaletteAI Tenants and Projects

Tenants

What is a Tenant?

A Tenant is a cluster-scoped resource that represents an overarching structure within PaletteAI. It serves as the top-level organizational unit that groups related projects. A tenant role is automatically created and injected into each project namespace. The tenant role is intended for platform engineering teams to manage the tenant and its projects. A namespace with the same name as the tenant is also automatically created.

Purpose and Access Control

Tenants serve two primary purposes:

  1. Organizational Grouping: Tenants group multiple projects under a single organizational unit, making it simpler to manage different teams and their respective PaletteAI projects.
  2. Cluster-wide RBAC: Tenants create cluster-level roles and bindings that grant specified user groups access to all PaletteAI resources across the entire management cluster. This is useful for platform engineering teams to manage the tenant and its projects.

Access to tenant resources is controlled through OIDC groups specified in the tenant configuration.

Default Admin User

PaletteAI comes with a default admin user through Dex. In Dex, when you configure a static user, it automatically inherits admin permissions as its permissions are based on the Kubernetes service account role used by the PaletteAI pods. We recommend minimizing the use of static Dex users, also known as local Dex users, and leveraging OpenID Connect (OIDC) groups to manage permissions. Dex is configured in the Mural installation Helm chart.

The default admin user is admin and is a member of the admin group.

Check out the Roles and Permissions page for detailed information on the tenant role and its permissions.

Tenant Creation

Tenants can be created through the PaletteAI User Interface, or declaratively through a YAML manifest.

When creating a tenant through a YAML manifest, you need to specify the following:

  • name: The name of the tenant
  • namespace: The namespace of the tenant
  • settingsRef: The reference to the settings resource containing Palette integration credentials
  • tenantRoleMapping: The mapping of OIDC groups to tenant-level permissions

Below is an example of a YAML manifest for a tenant.

apiVersion: mural.sh/v1alpha1
kind: Tenant
metadata:
  name: primary-dev
spec:
  displayName: 'Primary Dev'
  settingsRef:
    name: dev-settings
    namespace: primary-dev
  tenantRoleMapping:
    groups:
      - admin
      - sre
      - operations

Default Tenant

Default tenant and settings resources are created in the release namespace during PaletteAI installation. If integrating with Palette, additional configuration is required post-installation to provide Palette API credentials in a secure manner. Set .Values.global.systemDefaultResources.enabled: false to disable the creation of these default resources.

Projects

What is a Project?

A Project represents a workspace that ties together a tenant, compute profile, compute resources, workloads, and settings with fine-grained RBAC controls. Projects provide isolated environments where teams deploy and manage ML/AI applications, defaulting to project-specific configurations. Projects house MLPlatforms, which encapsulate an ML framework or AI application and its deployment lifecycle.

Project Resources

PaletteAI resources are primarily scoped to a project. This is by design to provide granular control over resources and permissions, while also allowing teams to manage and create their own resources without affecting other teams.

The following resources are scoped to a project:

  • MLPlatforms
  • Compute
  • Compute profiles
  • Settings
info

The Settings resource is unique in that it can be consumed across multiple tenants and projects. You can create a settings resource at the tenant level or at the project level.

Project Roles

Projects create three distinct roles with escalating permissions.

  • Viewer: Read-only access to project resources.
  • Editor: Read and write access to project resources, with limited ability to manage project settings and permissions.
  • Admin: Full administrative access to all project resources and settings.

Check out the Roles and Permissions page for detailed information on project roles and their permissions.

Project Creation

Similar to tenants, you can create projects through the PaletteAI User Interface or declaratively through a YAML manifest.

When creating a project through a YAML manifest, you need to specify the following:

  • name: The name of the project
  • namespace: The namespace of the project
  • tenantRef: The reference to the tenant resource
  • roleMapping: The mapping of OIDC groups to project roles
  • settingsRef: The reference to the settings resource
  • computeProfileRef: The reference to the compute profile resource

Below is an example of a YAML manifest for a project.

apiVersion: mural.sh/v1alpha1
kind: Project
metadata:
  name: project-a
  namespace: project-a
spec:
  displayName: 'Project A'
  tenantRef:
    name: 'primary-dev'
  roleMapping:
    viewer:
      - 'finops'
      - 'auditors'
    editor:
      - 'ml-engineers'
      - 'data-team'
    admin:
      - 'admin'
      - 'sre'
  settingsRef:
    name: 'dev-settings'
  computeProfileRef:
    name: 'edge-compute-profile'
    namespace: 'project-a'

Default Project

A default project is created within the default tenant when installing PaletteAI. Set .Values.global.systemDefaultResources.enabled: false to disable the creation of these default resources.