Security / Tenant Isolation
Treat multi-tenancy as an explicit isolation model, not a convenience feature.
OpenBao Operator is designed for a shared platform with strict tenant boundaries. The security model depends on explicit namespace introduction, split controller identities, admission guardrails, and network isolation rather than on broad cluster-scoped trust.
Decision matrix
Tenant isolation pillars
| Pillar | What it protects | Primary mechanism |
|---|---|---|
| Namespace introduction | Prevents the controller from discovering or managing arbitrary namespaces. | OpenBaoTenant onboarding, explicit RoleBinding introduction, and no namespace-wide controller discovery. |
| Identity separation | Keeps provisioning and workload management from sharing a single all-powerful credential. | Split provisioner and controller identities with different RBAC scopes. |
| Admission guardrails | Blocks unsafe configuration drift and unauthorized mutation of managed resources. | Validating admission policies and managed-resource ownership rules. |
| Network isolation | Prevents cross-tenant traffic and over-broad egress by default. | Default-deny NetworkPolicy plus explicit allow rules. |
Next actions
Read the isolation modelGo deeper into the exact namespace, RBAC, and secret-boundary behavior.Open RBAC architectureSee how the split-controller model enforces the tenant boundary at the identity layer.Open tenancy and governanceSwitch to the user-guide path when you need the actual onboarding workflow instead of the security model.
Next release documentation
You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.