Skip to main content

Multitenancy

In Cosmonic Control, multiple tenants in a given environment can be organized to utilize shared application resources across namespaces and hosts. The reusability of host plugins as well as the small size and inherent sandboxing of WebAssembly components make it possible to maximize density while maintaining isolation between namespaces.

Deployment model

When deploying with Cosmonic Control, workloads are comprised of WebAssembly components, the capabilities of which may be extended via built-in or containerized host plugins.

  • Components are sandboxed, platform-agnostic WebAssembly binaries that handle the bespoke logic for a given application and can interoperate with other entities including components and host plugins.
  • Host plugins deliver capabilities such as HTTP service or key-value storage and may optionally serve as shared resources, providing functionality to many different components for many different applications. Some plugins may be built-in to the host or may run externally in containers.

Multitenancy model

Cosmonic Control uses the following tenancy primitives:

  • Namespaces are groups of resources that are isolated from resources in other namespaces by default. Namespaces may be used to scope tenants such as organizations or projects.
  • Hosts are WebAssembly runtime environments that may span multiple namespaces while maintaining the security boundaries of those namespaces. The different parts of an application may be spread across multiple hosts.

If explicitly permitted, components may dynamically link to other components on any host so long as they reside in a shared or same namespace.

Built-in host plugins may link to components for multiple applications and in multiple namespaces on the same host, so long as they are explicitly permitted. Containerized host plugins may also reside in isolated namespaces where they may only link to components in the same namespace.

Architecture diagram

diagram

In the diagram above:

  • Three components making up an application are running in the App namespace. The components are spread across three hosts.
  • The application utilizes a built-in HTTP Server plugin on Host 2.
    • This plugin does not handle sensitive data and can be shared freely.
  • In the Org A and Org B namespaces, isolated, namespace-scoped components and containerized plugins handle each organization's data. The Postgres and S3 plugins mediate between the components and the organizations' respective data stores.
    • Org A Storage and Org B Storage both reside on Host 1 (along with a Middleware component in the Application namespace), but remain effectively isolated in separate namespaces due to the built-in sandboxing of WebAssembly components.
  • Components and plugins can communicate across hosts because they belong to a Host Group, defined by the HostGroup CRD.
  • The Cosmonic control plane runs in the Cosmonic namespace.