Security / Tenant Isolation
Treat multi-tenancy as an explicit isolation model, not a convenience feature.
OpenBao Operator is designed for a shared platform with strict tenant boundaries. The security model depends on explicit namespace introduction, split controller identities, admission guardrails, and network isolation rather than on broad cluster-scoped trust.
Decision matrix
Tenant isolation pillars
| Pillar | What it protects | Primary mechanism |
|---|---|---|
| Namespace introduction | Prevents the controller from discovering or managing arbitrary namespaces. | OpenBaoTenant onboarding, explicit RoleBinding introduction, and no namespace-wide controller discovery. |
| Identity separation | Keeps provisioning and workload management from sharing a single all-powerful credential. | Split provisioner and controller identities with different RBAC scopes. |
| Admission guardrails | Blocks unsafe configuration drift and unauthorized mutation of managed resources. | Validating admission policies and managed-resource ownership rules. |
| Network isolation | Prevents cross-tenant traffic and over-broad egress by default. | Default-deny NetworkPolicy plus explicit allow rules. |
Next actions
Read the isolation modelGo deeper into the exact namespace, RBAC, and secret-boundary behavior.Open RBAC architectureSee how the split-controller model enforces the tenant boundary at the identity layer.Open tenancy and governanceSwitch to the user-guide path when you need the actual onboarding workflow instead of the security model.
Prerelease documentation
This version tracks a prerelease build. Features and behavior may change before the next stable release.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.