Nova: a Federated Orchestrator
Nova is a multi-cluster Kubernetes control plane that orchestrates workloads across multiple Kubernetes clusters. With Nova, workload clusters become opaque compute commodities to consumers of Kubernetes infrastructure.
Architecture
A typical deployment of Nova consists of one Nova control plane and multiple workload clusters. Nova agents are deployed to workload clusters to communicate with the Nova control plane. The core Nova control plane has a Kubernetes API server, etcd, and a few other Nova components (scheduler/rescheduler, controllers, etc). The overall architecture is shown in the following graphic.
The diagram below illustrates Nova in action.
Supported api-resources
Nova supports the following standard kubernetes objects as well as CRDs:
- configmaps
- namespaces
- persistentvolumeclaims
- pods
- secrets
- serviceaccounts
- services
- daemonsets
- deployments
- replicasets
- statefulsets
- horizontalpodautoscalers
- cronjobs
- jobs
- ingressclasses
- ingresses
- networkpolicies
- clusterrolebindings
- clusterroles
- rolebindings
- roles
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- priorityclasses
Agent and control plane communication
Nova agents running in workload clusters communicate with the Nova control plane only through the K8s API server. Nova agents don't interact with any other components in the Nova control plane, including the Nova scheduler or any other controllers.
How does authentication work between Nova agents and K8s API server?
Nova agents use the standard RBAC authorization to communicate with the K8s API server.
Each agent has a certificate/key pair signed by the Kubernetes root CA.
Currently, the agents have a cluster-admin ClusterRole with system:masters ClusterRoleBinding.