Back to Details

k8s-platform-tenancy

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Kubernetes Platform Tenancy

Kubernetes平台多租户管理

Manage multi-tenant Kubernetes platforms, namespace provisioning, RBAC, resource isolation, and tenant lifecycle management.
管理多租户Kubernetes平台、namespace开通、RBAC、资源隔离及租户生命周期管理。

Keywords

关键词

kubernetes, multi-tenant, namespace, tenancy, rbac, resource quota, limit range, network policy, isolation, onboarding, offboarding, self-service, platform engineering, provisioning, configuring, setting up, implementing, managing, designing
kubernetes, multi-tenant, namespace, tenancy, rbac, resource quota, limit range, network policy, isolation, onboarding, offboarding, self-service, platform engineering, provisioning, configuring, setting up, implementing, managing, designing

When to Use This Skill

适用场景

  • Provisioning new tenant namespaces
  • Configuring tenant RBAC roles and bindings
  • Setting up resource quotas and limits
  • Implementing network isolation between tenants
  • Managing tenant lifecycle (onboarding/offboarding)
  • Designing self-service provisioning
  • 开通新租户命名空间
  • 配置租户RBAC角色与绑定
  • 设置资源配额与限制
  • 实现租户间网络隔离
  • 管理租户生命周期(入驻/下线)
  • 设计自助开通服务

Related Skills

相关技能

  • k8s-security-hardening - Security controls for tenants
  • k8s-platform-operations - Day-to-day operations
  • k8s-continual-improvement - SLOs and cost allocation
  • k8s-security-redteam - Test tenant isolation
  • k8s-namespace-troubleshooting - Namespace-scoped diagnosis
  • Shared: Pod Security Context
  • Shared: Network Policies
  • Shared: RBAC Patterns
  • k8s-security-hardening - 租户安全控制
  • k8s-platform-operations - 日常运维
  • k8s-continual-improvement - SLO与成本分摊
  • k8s-security-redteam - 租户隔离测试
  • k8s-namespace-troubleshooting - 命名空间维度故障诊断
  • 共享:Pod 安全上下文
  • 共享:网络策略
  • 共享:RBAC模式

Quick Reference

快速参考

TaskCommand
List tenants
kubectl get ns -l platform.io/tenant
Check quota
kubectl describe resourcequota -n tenant-NAME
Audit RBAC
kubectl auth can-i --list --as=user -n tenant-NAME
View policies
kubectl get networkpolicies -n tenant-NAME
任务命令
列出租户
kubectl get ns -l platform.io/tenant
检查配额
kubectl describe resourcequota -n tenant-NAME
RBAC审计
kubectl auth can-i --list --as=user -n tenant-NAME
查看策略
kubectl get networkpolicies -n tenant-NAME

Tenant Isolation Model

租户隔离模型

Namespace-per-Tenant Pattern

单租户单命名空间模式

cluster/
├── platform-system/          # Platform team only
│   ├── monitoring/
│   ├── ingress/
│   └── cert-manager/
├── tenant-alpha/             # Tenant workloads
├── tenant-beta/
└── tenant-gamma/
cluster/
├── platform-system/          # 仅平台团队可访问
│   ├── monitoring/
│   ├── ingress/
│   └── cert-manager/
├── tenant-alpha/             # 租户工作负载
├── tenant-beta/
└── tenant-gamma/

Isolation Layers

隔离层级

  1. Namespace - Logical boundary
  2. RBAC - Access control
  3. NetworkPolicy - Network isolation
  4. ResourceQuota - Resource limits
  5. LimitRange - Default constraints
  6. PodSecurityStandard - Security baseline
  1. Namespace - 逻辑边界
  2. RBAC - 访问控制
  3. NetworkPolicy - 网络隔离
  4. ResourceQuota - 资源限制
  5. LimitRange - 默认约束
  6. PodSecurityStandard - 安全基线

Namespace Provisioning

命名空间开通

Standard Tenant Namespace

标准租户命名空间

yaml
apiVersion: v1
kind: Namespace
metadata:
  name: tenant-${TENANT_NAME}
  labels:
    platform.io/tenant: ${TENANT_NAME}
    platform.io/environment: ${ENV}
    platform.io/cost-center: ${COST_CENTER}
    platform.io/tier: ${TIER}
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted
  annotations:
    platform.io/owner: ${OWNER_EMAIL}
    platform.io/created: ${DATE}
    platform.io/expires: ${EXPIRY_DATE}  # Optional for temp namespaces
yaml
apiVersion: v1
kind: Namespace
metadata:
  name: tenant-${TENANT_NAME}
  labels:
    platform.io/tenant: ${TENANT_NAME}
    platform.io/environment: ${ENV}
    platform.io/cost-center: ${COST_CENTER}
    platform.io/tier: ${TIER}
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted
  annotations:
    platform.io/owner: ${OWNER_EMAIL}
    platform.io/created: ${DATE}
    platform.io/expires: ${EXPIRY_DATE}  # 临时命名空间可选配置

Resource Quota Templates

资源配额模板

Bronze Tier:
yaml
apiVersion: v1
kind: ResourceQuota
metadata:
  name: tenant-quota
spec:
  hard:
    requests.cpu: "5"
    requests.memory: 10Gi
    limits.cpu: "10"
    limits.memory: 20Gi
    persistentvolumeclaims: "5"
    services.loadbalancers: "1"
    count/pods: "25"
Silver Tier:
yaml
spec:
  hard:
    requests.cpu: "10"
    requests.memory: 20Gi
    limits.cpu: "20"
    limits.memory: 40Gi
    persistentvolumeclaims: "10"
    services.loadbalancers: "2"
    count/pods: "50"
Gold Tier:
yaml
spec:
  hard:
    requests.cpu: "20"
    requests.memory: 40Gi
    limits.cpu: "40"
    limits.memory: 80Gi
    persistentvolumeclaims: "20"
    services.loadbalancers: "5"
    count/pods: "100"
青铜等级:
yaml
apiVersion: v1
kind: ResourceQuota
metadata:
  name: tenant-quota
spec:
  hard:
    requests.cpu: "5"
    requests.memory: 10Gi
    limits.cpu: "10"
    limits.memory: 20Gi
    persistentvolumeclaims: "5"
    services.loadbalancers: "1"
    count/pods: "25"
白银等级:
yaml
spec:
  hard:
    requests.cpu: "10"
    requests.memory: 20Gi
    limits.cpu: "20"
    limits.memory: 40Gi
    persistentvolumeclaims: "10"
    services.loadbalancers: "2"
    count/pods: "50"
黄金等级:
yaml
spec:
  hard:
    requests.cpu: "20"
    requests.memory: 40Gi
    limits.cpu: "40"
    limits.memory: 80Gi
    persistentvolumeclaims: "20"
    services.loadbalancers: "5"
    count/pods: "100"

Limit Range

LimitRange

yaml
apiVersion: v1
kind: LimitRange
metadata:
  name: tenant-limits
spec:
  limits:
  - type: Container
    default:
      cpu: 500m
      memory: 512Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi
    max:
      cpu: "4"
      memory: 8Gi
    min:
      cpu: 50m
      memory: 64Mi
  - type: PersistentVolumeClaim
    max:
      storage: 100Gi
    min:
      storage: 1Gi
yaml
apiVersion: v1
kind: LimitRange
metadata:
  name: tenant-limits
spec:
  limits:
  - type: Container
    default:
      cpu: 500m
      memory: 512Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi
    max:
      cpu: "4"
      memory: 8Gi
    min:
      cpu: 50m
      memory: 64Mi
  - type: PersistentVolumeClaim
    max:
      storage: 100Gi
    min:
      storage: 1Gi

RBAC Configuration

RBAC配置

For detailed RBAC patterns, see Shared: RBAC Patterns.
如需了解详细RBAC模式,请参阅共享:RBAC模式

Tenant Admin Role

租户管理员角色

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tenant-admin
rules:
- apiGroups: ["", "apps", "batch"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses", "networkpolicies"]
  verbs: ["*"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["*"]
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tenant-admin
rules:
- apiGroups: ["", "apps", "batch"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses", "networkpolicies"]
  verbs: ["*"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["*"]

Tenant Developer Role

租户开发者角色

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tenant-developer
rules:
- apiGroups: ["", "apps", "batch"]
  resources: ["pods", "deployments", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: [""]
  resources: ["pods/log", "pods/exec"]
  verbs: ["get", "create"]
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tenant-developer
rules:
- apiGroups: ["", "apps", "batch"]
  resources: ["pods", "deployments", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: [""]
  resources: ["pods/log", "pods/exec"]
  verbs: ["get", "create"]

Network Isolation

网络隔离

For detailed NetworkPolicy patterns, see Shared: Network Policies.
如需了解详细NetworkPolicy模式,请参阅共享:网络策略

Standard Policy Set

标准策略集

Apply these in order to each tenant namespace:
  1. default-deny-all
    - Zero trust baseline
  2. allow-dns
    - DNS resolution
  3. allow-same-namespace
    - Intra-namespace communication
  4. allow-ingress-controller
    - External traffic
  5. allow-prometheus-scrape
    - Monitoring
按以下顺序为每个租户命名空间应用策略:
  1. default-deny-all
    - 零信任基线
  2. allow-dns
    - DNS解析
  3. allow-same-namespace
    - 命名空间内通信
  4. allow-ingress-controller
    - 外部流量接入
  5. allow-prometheus-scrape
    - 监控数据采集

Tenant Lifecycle

租户生命周期

Onboarding Checklist

入驻检查清单

  1. Create namespace with standard labels
  2. Apply Pod Security Standard (restricted)
  3. Configure ResourceQuota based on tier
  4. Apply LimitRange with sensible defaults
  5. Create RBAC roles and bindings
  6. Deploy NetworkPolicies for isolation
  7. Configure monitoring (ServiceMonitor, alerts)
  8. Set up logging forwarding
  9. Document in tenant registry
  10. Notify tenant with access instructions
  1. 创建命名空间并添加标准标签
  2. 应用Pod安全标准(restricted级别)
  3. 根据等级配置ResourceQuota
  4. 应用LimitRange设置合理默认值
  5. 创建RBAC角色与绑定
  6. 部署NetworkPolicies实现隔离
  7. 配置监控(ServiceMonitor、告警规则)
  8. 设置日志转发规则
  9. 在租户注册表中归档相关信息
  10. 向租户发送访问指引通知

Offboarding Checklist

下线检查清单

  1. Notify tenant of decommission date
  2. Backup any required data
  3. Revoke RBAC bindings
  4. Delete workloads (deployments, services)
  5. Delete PVCs and data
  6. Remove monitoring configuration
  7. Delete namespace
  8. Update tenant registry
  9. Archive documentation
  1. 通知租户停用日期
  2. 备份所有必要数据
  3. 撤销RBAC绑定
  4. 删除工作负载(Deployment、Service等)
  5. 删除PVC及关联数据
  6. 移除监控配置
  7. 删除命名空间
  8. 更新租户注册表状态
  9. 归档相关文档

Quota Modification Process

配额调整流程

  1. Tenant submits request (ticket/form)
  2. Platform team reviews capacity
  3. If approved, update ResourceQuota in Git
  4. Flux applies changes
  5. Notify tenant of new limits
  1. 租户提交申请(工单/表单)
  2. 平台团队评估容量
  3. 审批通过后,在Git中更新ResourceQuota
  4. Flux自动应用变更
  5. 通知租户新的配额限制

Self-Service Provisioning

自助开通服务

Namespace Request CRD Pattern

命名空间申请CRD模式

yaml
apiVersion: platform.io/v1
kind: TenantRequest
metadata:
  name: new-tenant-request
spec:
  tenantName: alpha
  tier: silver
  owner: team-alpha@company.com
  costCenter: CC-1234
  environments:
    - dev
    - staging
    - prod
yaml
apiVersion: platform.io/v1
kind: TenantRequest
metadata:
  name: new-tenant-request
spec:
  tenantName: alpha
  tier: silver
  owner: team-alpha@company.com
  costCenter: CC-1234
  environments:
    - dev
    - staging
    - prod

Controller Automation

控制器自动化

  • Watch TenantRequest CRs
  • Validate against policies
  • Create namespace with standard resources
  • Notify requestor
  • 监听TenantRequest CR资源
  • 按照策略校验申请
  • 创建带标准资源配置的命名空间
  • 通知申请人

Service Tiers

服务等级

TierCPUMemoryStorageSupportSLA
Bronze510Gi50GiBest effortNone
Silver1020Gi200GiBusiness hours99%
Gold2040Gi500Gi24/799.5%
PlatinumCustomCustomCustomDedicated99.9%
等级CPU内存存储支持服务SLA
青铜510Gi50Gi尽力而为
白银1020Gi200Gi工作时间支持99%
黄金2040Gi500Gi7*24小时支持99.5%
铂金自定义自定义自定义专属支持99.9%

Platform Services for Tenants

面向租户的平台服务

  • Ingress - NGINX/Traefik with TLS
  • Certificates - cert-manager with Let's Encrypt
  • Secrets - External Secrets Operator
  • Monitoring - Prometheus/Grafana (read-only)
  • Logging - Loki with namespace filtering
  • Service Mesh - Optional Istio/Linkerd
  • Ingress - 带TLS的NGINX/Traefik
  • 证书服务 - 集成Let's Encrypt的cert-manager
  • 密钥管理 - External Secrets Operator
  • 监控服务 - Prometheus/Grafana(只读)
  • 日志服务 - 带命名空间过滤的Loki
  • 服务网格 - 可选Istio/Linkerd

Common Mistakes

常见错误

MistakeWhy It FailsInstead
Granting 
*
verbs on all resources in tenant role		Tenants can modify NetworkPolicies or ResourceQuotas, breaking isolationEnumerate specific resources and verbs per role
Forgetting default LimitRange on new namespacesPods without resource requests get best-effort QoS and are evicted firstAlways pair ResourceQuota with a LimitRange
Using 
platform.io/tenant
label without enforcement		Anyone can relabel a namespace and bypass tenant scopingEnforce labels with admission control (Kyverno/OPA)
Skipping NetworkPolicy on "internal-only" namespacesCompromised pod in one tenant can reach all othersApply default-deny + explicit allow to every tenant namespace
Deleting namespace before revoking RBACTenant users see confusing errors; orphaned ClusterRoleBindings remainRevoke bindings first, then delete namespace (follow offboarding checklist)
错误错误原因正确做法
给租户角色授予所有资源的
*
操作权限		租户可修改NetworkPolicies或ResourceQuotas,破坏隔离规则按角色明确枚举允许操作的资源和动词
新命名空间忘记配置默认LimitRange未设置资源请求的Pod会被标记为尽力而为QoS,优先被驱逐ResourceQuota必须和LimitRange配套使用
未强制校验
platform.io/tenant
标签		任何人可重命名命名空间标签绕过租户范围限制通过准入控制器(Kyverno/OPA)强制校验标签
「仅内部使用」命名空间跳过NetworkPolicy配置某租户下被攻陷的Pod可访问其他所有租户资源所有租户命名空间都必须应用默认拒绝+显式放行的网络策略
撤销RBAC前先删除命名空间租户用户会看到异常错误,还可能残留孤立的ClusterRoleBindings先撤销权限绑定,再删除命名空间(遵循下线检查清单)

MCP Tools

MCP工具

bash
undefined
bash
undefined

Using kubectl via MCP

通过MCP使用kubectl

mcp__flux-operator-mcp__get_kubernetes_resources mcp__flux-operator-mcp__apply_kubernetes_manifest
undefined
mcp__flux-operator-mcp__get_kubernetes_resources mcp__flux-operator-mcp__apply_kubernetes_manifest
undefined