Multi-tenancy allows multiple teams or customers to share a Kubernetes cluster. Proper isolation is critical to prevent security breaches between tenants.
Multi-Tenancy Models
Namespace-based
Soft isolation using namespaces with RBAC and network policies.
Virtual Cluster
Stronger isolation with virtual control planes (vcluster).
Dedicated Clusters
Complete isolation with separate clusters per tenant.
Namespace Isolation
RBAC
YAML
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: tenant-a
name: tenant-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: tenant-a
name: tenant-a-admins
subjects:
- kind: Group
name: tenant-a-admins
roleRef:
kind: Role
name: tenant-adminNetwork Policies
YAML
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-cross-namespace
namespace: tenant-a
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: tenant-a
egress:
- to:
- namespaceSelector:
matchLabels:
name: tenant-aResource Quotas
YAML
apiVersion: v1
kind: ResourceQuota
metadata:
name: tenant-quota
namespace: tenant-a
spec:
hard:
requests.cpu: "10"
requests.memory: 20Gi
limits.cpu: "20"
limits.memory: 40Gi
pods: "50"Hierarchical Namespaces
Use HNC for namespace hierarchies:
YAML
apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
name: team-frontend
namespace: tenant-aVirtual Clusters
For stronger isolation:
BASH
vcluster create tenant-a -n host-namespaceBenefits:
- Isolated control plane
- Custom CRDs per tenant
- Full admin access without cluster impact
Security Checklist
- RBAC configured per namespace
- Network policies deny cross-namespace traffic
- Resource quotas prevent noisy neighbors
- Pod security standards enforced
- Audit logging per tenant
- Separate service accounts
- No shared secrets
Multi-tenancy requires defense in depth across all layers.