Make tenant access explicit instead of discoverable.
The operator's multi-tenant model depends on deliberate namespace introduction. A tenant namespace becomes manageable only after onboarding introduces the controller through fixed RBAC, applies namespace guardrails, and keeps the identity that grants access separate from the identity that consumes it.
Decision matrix
Isolation pillars
| Pillar | What it protects | Primary mechanism |
|---|---|---|
| Namespace introduction | The controller does not become present in a namespace by accident. | OpenBaoTenant onboarding creates the fixed Role and RoleBinding that introduce the controller deliberately. |
| Identity separation | Provisioning and workload management do not share one broad credential. | The provisioner grants access, while the controller uses tenant-scoped access without minting it. |
| Admission guardrails | Unsafe RBAC writes and operator-object drift are blocked at the API boundary. | Validating admission policies constrain names, subjects, and managed-object mutation patterns. |
| Network and namespace hardening | Cross-tenant traffic and insecure sidecar drift are reduced by default. | Default-deny NetworkPolicy and Restricted Pod Security labels apply at onboarding time. |
Diagram
Tenant introduction flow
The provisioner writes the access grant into the target namespace, but the ongoing controller uses that access without being able to mint or broaden it freely.
Onboarding models
Decision matrix
Choose the governance model
| Model | Who creates the request | Primary constraint | Why you would use it |
|---|---|---|---|
| Self-service | A namespace admin creates OpenBaoTenant inside the same namespace. | spec.targetNamespace must match metadata.namespace. | Use this when teams manage their own namespaces and you want the least central coordination without granting cross-namespace privilege. |
| Centralized onboarding | A platform-admin workflow creates the request in the operator namespace. | Normal tenant users must not be able to write onboarding requests there. | Use this when quotas, guardrails, or namespace vending are controlled centrally. |
This page explains the isolation contract. Use Onboard the target namespace when you need the concrete onboarding workflow and field-level configuration.
What the model guarantees
Reference table
Operational guarantees
| Guarantee | What it means | Primary control |
|---|---|---|
| No namespace discovery as a normal workflow | The controller does not need to list namespaces to find tenants. | Namespaces are introduced through onboarding rather than through global discovery. |
| No cross-tenant Secret browsing | The controller should not treat tenant Secrets as generic cluster inventory. | Secret access is name-scoped, role-scoped, and guarded by admission policy. |
| No all-powerful long-running operator credential | The component that grants access does not also reconcile every tenant workload with the same credential. | Provisioner/controller identity split. |
| Namespace-level runtime baseline | Tenant namespaces start from Restricted pod-security enforcement and default network isolation. | Provisioner-owned namespace labels and network-policy defaults. |
Assumptions and residual risk
Reference table
Assumptions you still need to own
| Assumption | Why it matters | What to do |
|---|---|---|
| Admission stays enabled | Without it, the RBAC and managed-object model loses an important API-level backstop. | Treat unsafe mode as a deliberate exception and not as the normal multi-tenant posture. |
| The surrounding cluster is trustworthy | Node compromise, cluster-admin access, or hostile CNI behavior are outside what namespace isolation can solve. | Pair the operator model with normal cluster hardening, audit, and node-security controls. |
| Shared external systems are partitioned appropriately | Object storage, PKI, and KMS systems can still become cross-tenant blast-radius points if configured broadly. | Separate identities, prefixes, or trust roots per tenant or per environment where required. |
Continue tenant isolation
This version tracks a prerelease build. Features and behavior may change before the next stable release.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.