RBAC for Multi-Tenancy

2 min read Infrastructure & DevOps Security

RBAC for Multi-Tenancy

Multi-tenant Kubernetes deployments require careful RBAC design to maintain isolation between tenants. Soft multi-tenancy with trusted tenants allows some resource sharing. Hard multi-tenancy with untrusted tenants requires complete isolation. RBAC forms one layer of multi-tenant isolation alongside network policies and resource quotas.

Namespace-based tenant isolation uses RBAC to confine tenants to their namespaces. Each tenant receives admin permissions within their namespaces but no cluster-wide permissions. Hierarchical namespaces can provide sub-tenant isolation. This model works well for trusted tenants but may not suffice for hostile multi-tenancy.

# Tenant isolation with RBAC
# ClusterRole for tenant namespace admin
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tenant-namespace-admin
rules:
# Full control over namespace resources
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
# Exclude cluster-scoped resources
- nonResourceURLs: []
  
---
# ClusterRole for tenant self-service
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tenant-self-service
rules:
# Allow creating namespaces with specific prefix
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["create"]
# Allow listing own namespaces
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list"]
  resourceNames: ["tenant-${TENANT_ID}-*"]
  
---
# Bind self-service role to tenant group
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tenant-acme-self-service
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tenant-self-service
subjects:
- kind: Group
  name: "tenant:acme"
  apiGroup: rbac.authorization.k8s.io

---
# Automated RoleBinding for tenant namespaces
apiVersion: v1
kind: ConfigMap
metadata:
  name: tenant-rbac-template
  namespace: rbac-system
data:
  rolebinding-template.yaml: |
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: tenant-admin
      namespace: "{{ .Namespace }}"
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: tenant-namespace-admin
    subjects:
    - kind: Group
      name: "tenant:{{ .TenantID }}"
      apiGroup: rbac.authorization.k8s.io

Cross-namespace access patterns complicate multi-tenant RBAC. Shared services like ingress controllers or monitoring require access across tenant namespaces. RBAC must carefully control these cross-namespace permissions to prevent tenant boundary violations. SubjectAccessReviews can validate permissions programmatically for dynamic authorization decisions.