Practices of Kubernetes Multi-tenant Clusters

What Is a Multi-tenant Cluster?

Multi-tenant Scenarios

1) Multi-tenant Sharing of Clusters Within an Enterprise

  • Cluster Administrator
  • Has cluster management capabilities, such as scaling and adding nodes.
  • Creates and allocates namespaces for tenant administrators.
  • Manages various policies, such as RAM, RBAC, network policies, and quotas.
  • Tenant Administrator
  • Has at least the RAM read-only permission for the cluster.
  • Manages the RBAC configurations of relevant personnel in the tenant.
  • Tenant User
  • Uses Kubernetes resources within the permitted range in the tenant namespace.

2) Multi-tenancy in SaaS and KaaS Service Models

Implementing a Multi-tenant Architecture

Access Control

Resource Scheduling

Protection of Sensitive Information

Summary

  • Enable the default security configuration for the Kubernetes cluster.
  • Enable RBAC to prohibit access from anonymous users.
  • Enable secret encryption to enhance the protection of sensitive information.
  • Perform security configuration based on CIS Kubernetes benchmarks.
  • Enable related admission controllers such as NodeRestriction, AlwaysPullImages, and PodSecurityPolicy.
  • Use PSPs to control the privileged mode in pod deployments and control the security context of pods while the pods are running.
  • Configure network policies.
  • Enable Seccomp, AppArmor, and SELinux for Docker runtime.
  • Try to achieve multi-tenant isolation for services such as monitoring and logging.
  • Use dynamic policy engines such as Open Policy Agent (OPA) for fine-grained access control at the network or object level.
  • Deploy a secure container for kernel-level isolation during container runtime.
  • Implement comprehensive multi-tenant isolation solutions for monitoring, logging, storage, and other services.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com