Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Warning

This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.

Glossary

This document explains the terminology used in Preferred Computing Platform (PFCP), a cloud service designed for AI/ML workloads.

Organizations

These are the fundamental resources required for using PFCP, including Kubernetes cluster access, portal usage, and authentication/authorization mechanisms. They are equivalent to what is generally referred to as “tenants” 1.

To use PFCP, you must be invited by the organization you wish to access. When interacting with PFCP resources such as Kubernetes clusters or portals, you must select the appropriate organization.

Within a single organization, multiple PFCP clusters can be utilized, and multiple Namespaces can be created. Each Namespace supports both permission isolation and network segmentation. Therefore, there is no need to strictly separate organizations by region or usage purpose.

Root Namespaces and Sub-Namespaces

In PFCP, each organization is assigned a single Namespace, with additional Namespaces created as child Namespaces under this primary Namespace. The primary Namespace is referred to as a “root Namespace,” while the child Namespaces are called “sub-Namespaces.” For detailed information about PFCP Namespaces, please refer to Logical Cluster Division Using Namespaces.

Root Namespaces and sub-Namespaces are unique PFCP-specific terms that do not exist in standard Kubernetes clusters. Since they differ in specifications and handling, these specific terms are used when distinction is necessary. However, when describing general Kubernetes Namespace resources where distinction between root and sub-Namespaces is not required, the term Namespace is used instead.

User Roles (Organization Administrator vs. Regular User)

PFCP defines two distinct user roles: Organization Administrator and Regular User. For detailed information about these roles and the operations they permit, please refer to PFCP User Roles.

Meanwhile, Kubernetes provides Role/ClusterRole resources to implement Role-Based Access Control (RBAC) 2. While PFCP also provides standard ClusterRoles 3, these ClusterRoles do not map one-to-one with PFCP user roles 4. Organization Administrators can create RoleBindings to customize mappings on a Namespace-by-Namespace basis.

Individual RoleBindings can be created for specific users, or users can be grouped into roles and RoleBindings created for these groups.

For detailed information about RoleBindings, please refer to Managing User Cluster Access Permissions. For comprehensive user management information, please refer to Managing Organization Users.

Monitoring Services

This term collectively refers to the managed services provided by PFCP: Grafana, Prometheus, and Alertmanager.

Identity-Aware Proxy (IAP)

This is a PFCP-provided mechanism for securely exposing workloads to the internet. Automatic authentication is configured during access, enabling secure deployment of workloads.

There are two variants based on the authentication method: API Identity-Aware Proxy (API IAP) and WebApp Identity-Aware Proxy (WebApp IAP). For detailed usage instructions, please refer to Exposing Workloads as Web APIs or Exposing Workloads as Web Applications.


  1. This concept is analogous to Google Cloud projects or Amazon Web Service accounts.

  2. Role-Based Access Control

  3. Three roles are available: org-admin, org-edit, and org-view.

  4. Only Organization Administrators can be mapped to org-admin for both root Namespaces and all sub-Namespaces.