User Architecture

Clawcloud Run employs a multi-tenant architecture design that maximizes resource utilization by enabling multiple tenants to share a single Kubernetes cluster within public cloud environments. The user system is purpose-built to achieve this objective, enforcing multi-tenant resource isolation while balancing system security and user experience through an elegantly streamlined design.

User Design

Kubernetes lacks native user management capabilities. Clawcloud Run addresses this by utilizing a custom User Custom Resource (CR) to represent user permissions and metadata across availability zones. Sensitive user data (e.g., name, phone number) is persistently stored in a dedicated database.

Persistence Design

To support multi-region deployments, Clawcloud Run avoids reliance on a single centralized data source. Instead, it leverages CockroachDB, a distributed relational database, to ensure consistent user data replication and high availability across all availability zones. This architecture guarantees transactional integrity and horizontal scalability for global user management.

User and Namespace

Namespaces serve as an effective resource isolation mechanism in Kubernetes. Clawcloud Run leverages this concept to establish isolation between users by implementing a namespace-based architecture.

When a new user registers, Clawcloud Run automatically provisions a dedicated personal namespace bound to that account. This namespace grants the user full administrative privileges and will be permanently deleted upon account termination.

Additionally, Clawcloud Run introduces a workspace mechanism that enables users to create collaborative environments. Users can establish multiple workspaces and invite other participants into these shared namespaces.

This design establishes a many-to-many relationship between users and namespaces: a single user may belong to multiple namespaces, while each namespace can contain multiple authorized users.

Authorization

Clawcloud Run implements user authorization based on Kubernetes RBAC. When a user creates a namespace (including the personal namespace generated during user registration), the controller creates three Role resources within the newly created namespace, corresponding to three distinct roles. A RoleBinding resource is also created to grant the user Owner privileges for that namespace. Similarly, when a user invites others to a workspace, the controller generates new RoleBinding resources to assign appropriate permissions to the designated users.

Authentication

Kubernetes provides two authentication entities: Normal Users (for external users) and Service Accounts (for internal Pods). Since all user operations on Clawcloud Run are executed within Pods in the cloud environment, the system adopts Service Accounts for user authentication. Upon user creation, a Service Account is automatically provisioned, and its token is embedded into the user's Kubeconfig. When accessing applications, the system retrieves the token from the user's Kubeconfig and mounts it into the target Pod, thereby completing authentication.

Isolation

Beyond Kubernetes namespace isolation, Clawcloud Run enforces multi-layer isolation across infrastructure components:

• Storage: Block-level isolation via OpenEBS.

• Compute: Runtime isolation using Firecracker and Cloud Hypervisor.

• Network: Micro-segmentation through Cilium.

These mechanisms ensure strict tenant isolation in shared environments, preventing operational interference between tenants.