gke-multi-tenancy
GKE Multi-tenancy and Governance
This skill provides guidance on implementing multi-tenancy and governance in Google Kubernetes Engine (GKE) clusters.
Overview
Multi-tenancy allows you to share a single GKE cluster among multiple teams or applications securely. Governance ensures that policies and resource limits are enforced.
Workflows
1. Create Namespaces for Isolation
Namespaces provide a scope for names and are the primary unit of isolation in Kubernetes.
Steps:
- Create a namespace for each tenant.
Example Namespace Manifest:
apiVersion: v1
kind: Namespace
metadata:
name: tenant-a
labels:
team: alpha
2. Configure RBAC for Least Privilege
Role-Based Access Control (RBAC) allows you to control who has access to what resources within a namespace.
Steps:
- Define a
Rolewith specific permissions. - Bind the
Roleto a user or group using aRoleBinding.
Example Role and RoleBinding Manifest:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: tenant-a
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: tenant-a
subjects:
- kind: User
name: user@example.com # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
3. Enforce Resource Quotas
Resource quotas prevent a single tenant from consuming all resources in the cluster.
Example ResourceQuota Manifest:
apiVersion: v1
kind: ResourceQuota
metadata:
name: tenant-a-quota
namespace: tenant-a
spec:
hard:
requests.cpu: "2"
requests.memory: 4Gi
limits.cpu: "4"
limits.memory: 8Gi
Best Practices
- Namespace Per Tenant: Always use separate namespaces for different teams or applications.
- Least Privilege RBAC: Grant only the permissions necessary for users and service accounts to do their jobs.
- Enforce Quotas: Use Resource Quotas to ensure fair sharing of cluster resources.
- Network Policies: Combine namespaces with Network Policies (see gke-workload-security) to restrict cross-tenant traffic.
More from googlecloudplatform/gke-mcp
gke-backup-dr
Workflows for configuring Backup for GKE and disaster recovery.
2gke-reliability
Workflows for ensuring high availability and reliability of GKE workloads.
2gke-storage
Guidance on managing storage in Google Kubernetes Engine (GKE) clusters.
2gke-app-onboarding
Workflows for containerizing and deploying applications to GKE for the first time.
2gke-workload-security
Workflows for auditing and hardening the security of GKE workloads.
2gke-cost-optimization
Guidance on optimizing costs for Google Kubernetes Engine (GKE) clusters.
2