OICM – Access Control & Data Isolation
OICM ensures secure, compliant, and tenant-aware operations through robust identity, access, and data segregation controls.
Access Control & Authentication
- Role-Based Access Control (RBAC): Enforced at cluster, tenant, and workspace levels for fine-grained permissions.
- Authentication & Identity Federation: Integrates with Keycloak, SSO (OAuth2, SAML), LDAP, and Active Directory.
- Secure API Access: All platform features are accessible via secure RESTful APIs and SDKs with scoped API keys.
- Audit Logging: Full traceability of user actions, admin activities, and system operations for compliance.
Data Isolation & Segregation
- Database records are tagged with a unique tenant ID to enforce strict data ownership boundaries.
- The platform ensures all data access and queries are automatically scoped to the requesting tenant.
- Each tenant is allocated a dedicated folder in NFS or a dedicated bucket in object storage systems.
- Access to storage is tightly controlled using tenant-specific credentials and scoped authentication policies.
- Kubernetes network segmentation is enforced using Calico to prevent cross-tenant communication.
- Firewall rules are applied at the pod and namespace levels, using tenant labels for traffic isolation.
Shared Cluster Model
- Each tenant assigned a unique identifier (label + taint).
- Isolated via Kubernetes namespaces.
- Calico network policies enforce strict traffic isolation.
- Access control applied at namespace and user level.
- Platform-wide monitoring and usage tracking per tenant.
Dedicated Cluster Model
- One cluster per tenant with separate control and data plane.
- Suitable for high-security, government, or air-gapped use cases.
- Enables hybrid governance: centralized control + decentralized compute.
- Can be used for premium-tier tenants or for regulatory compliance.
Next Steps
- Commercial Models & Use‑Case Enablement – Metered billing, tiered plans, and marketplace offerings.
- AI Cluster Manager – GPU scheduling, node pools, and workload optimization.
- AI Ops Overview – Deployment pipelines, monitoring, security, and governance.