Cloud Experte
Kubernetes Multi-Tenancy¶
KubernetesMulti-tenancySecurityIsolation 6 Min. Lesezeit
Tenant-Isolation in Kubernetes. Namespace-Isolation, Network Policies, OPA Gatekeeper und Virtual Clusters.
Multi-Tenancy-Modelle¶
- Namespace-per-Tenant — geteilter Cluster, Isolation über Namespaces
- Cluster-per-Tenant — maximale Isolation, höhere Kosten
- Virtual Clusters — vcluster/Loft — virtueller K8s-Cluster innerhalb eines Namespace
Namespace-Isolation¶
apiVersion: v1
kind: ResourceQuota
metadata:
name: tenant-quota
namespace: tenant-alpha
spec:
hard:
requests.cpu: "8"
requests.memory: 16Gi
pods: "40"
---
apiVersion: v1
kind: LimitRange
metadata:
name: default-limits
namespace: tenant-alpha
spec:
limits:
- default:
cpu: 500m
memory: 512Mi
defaultRequest:
cpu: 100m
memory: 128Mi
type: Container
Network Policies¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: tenant-alpha
spec:
podSelector: {}
policyTypes: [Ingress, Egress]
ingress: []
egress:
- to:
- namespaceSelector:
matchLabels:
tenant: alpha
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
OPA Gatekeeper¶
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyClusterResources
metadata:
name: deny-cluster-resources
spec:
match:
kinds:
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["ClusterRole", "ClusterRoleBinding"]
excludedNamespaces: ["kube-system", "gatekeeper-system"]
Zusammenfassung¶
K8s Multi-Tenancy erfordert Defense-in-Depth: Namespaces, RBAC, Network Policies, ResourceQuotas und eine Policy Engine.
Brauchen Sie Hilfe bei der Implementierung?¶
Unser Team hat Erfahrung mit dem Entwurf und der Implementierung moderner Architekturen. Wir helfen Ihnen gerne.