Multi-Tenancy

Multi-Tenancy#

AIM Engine supports multi-tenant deployments through a combination of cluster-scoped and namespace-scoped resources.

Resource Scoping#

Resource	Cluster-Scoped	Namespace-Scoped
Models	`AIMClusterModel`	`AIMModel`
Templates	`AIMClusterServiceTemplate`	`AIMServiceTemplate`
Runtime Config	`AIMClusterRuntimeConfig`	`AIMRuntimeConfig`
Model Sources	`AIMClusterModelSource`	—
Services	—	`AIMService`
Artifacts	—	`AIMArtifact`

Namespace-scoped resources always take precedence over cluster-scoped ones during resolution.

Team Isolation#

A typical multi-tenant setup:

Cluster admin creates cluster-scoped resources shared by all teams:
- AIMClusterModelSource for model discovery
- AIMClusterRuntimeConfig for default routing, storage, and policies
- AIMClusterServiceTemplate for validated runtime profiles
Teams work in their own namespaces with:
- AIMService resources for their inference endpoints
- AIMRuntimeConfig for team-specific credentials and overrides
- AIMModel for custom models only their team needs

Example: Namespace Configuration#

apiVersion: aim.eai.amd.com/v1alpha1
kind: AIMRuntimeConfig
metadata:
  name: default
  namespace: ml-team-a
spec:
  env:
    - name: HF_TOKEN
      valueFrom:
        secretKeyRef:
          name: team-a-hf-token
          key: token
  routing:
    pathTemplate: "/team-a/{.metadata.name}"

Override Hierarchy#

Configuration is resolved with the most specific scope winning:

Setting	Resolution Order
Model	`AIMModel` (namespace) → `AIMClusterModel` (cluster)
Template	`AIMServiceTemplate` (namespace) → `AIMClusterServiceTemplate` (cluster)
Runtime config	`AIMRuntimeConfig` (namespace) → `AIMClusterRuntimeConfig` (cluster)
Environment vars	Service → RuntimeConfig (namespace) → ClusterRuntimeConfig

Label Propagation#

AIM Engine can propagate labels from AIMService resources to managed child resources (InferenceService, HTTPRoute, PVCs). This is useful for cost tracking, team attribution, and policy enforcement.

Enable via runtime configuration:

apiVersion: aim.eai.amd.com/v1alpha1
kind: AIMClusterRuntimeConfig
metadata:
  name: default
spec:
  labelPropagation:
    enabled: true
    match:
      - "aim.eai.amd.com/*"
      - "team-*"
      - "cost-center"

Labels on the AIMService matching these patterns are automatically applied to all child resources. Labels matching aim.eai.amd.com/* are always propagated regardless of this setting.

RBAC#

AIM Engine creates helper ClusterRoles for each CRD when rbacHelpers.enable is true (default):

Role	Permissions
`aimservice-admin`	Full access to AIMService resources
`aimservice-editor`	Create, update, delete AIMService resources
`aimservice-viewer`	Read-only access to AIMService resources

Similar roles exist for all CRDs. Bind these to team groups or service accounts:

kubectl create rolebinding team-a-aimservice \
  --clusterrole=aimservice-editor \
  --group=team-a \
  --namespace=ml-team-a

Next Steps#

Runtime Configuration — Configuration resolution details
Security — RBAC and security configuration
Private Registries — Per-team credential management