Cloud Expert
Kubernetes Multi-tenancy¶
KubernetesMulti-tenancySecurityIsolation 6 min read
Izolace tenantů v Kubernetes. Namespace isolation, Network Policies, OPA Gatekeeper a virtual clusters.
Modely Multi-tenancy¶
- Namespace-per-tenant — sdílený cluster, izolace přes namespaces
- Cluster-per-tenant — maximální izolace, vyšší náklady
- Virtual Clusters — vcluster/Loft — virtuální K8s cluster uvnitř namespace
Namespace Isolation¶
apiVersion: v1
kind: ResourceQuota
metadata:
name: tenant-quota
namespace: tenant-alpha
spec:
hard:
requests.cpu: "8"
requests.memory: 16Gi
pods: "40"
---
apiVersion: v1
kind: LimitRange
metadata:
name: default-limits
namespace: tenant-alpha
spec:
limits:
- default:
cpu: 500m
memory: 512Mi
defaultRequest:
cpu: 100m
memory: 128Mi
type: Container
Network Policies¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: tenant-alpha
spec:
podSelector: {}
policyTypes: [Ingress, Egress]
ingress: []
egress:
- to:
- namespaceSelector:
matchLabels:
tenant: alpha
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
OPA Gatekeeper¶
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyClusterResources
metadata:
name: deny-cluster-resources
spec:
match:
kinds:
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["ClusterRole", "ClusterRoleBinding"]
excludedNamespaces: ["kube-system", "gatekeeper-system"]
Summary¶
K8s multi-tenancy vyžaduje defense-in-depth: namespaces, RBAC, Network Policies, ResourceQuotas a policy engine.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.