Skip to content

Multi-Tenancy Security

Shared Platform, Isolated Tenants

OpenBao Operator is designed for Hard Multi-Tenancy. It allows multiple independent teams to share a single Kubernetes cluster and Operator installation while maintaining strict cryptographic, network, and identity isolation.

Security Pillars

  • Tenant Isolation

    How the "Provisioner" controller enforces strict namespace boundaries and prevents cross-tenant access.

    Isolation Model

  • RBAC Boundaries

    The "Zero Trust" split-controller architecture that ensures no single credential has total cluster control.

    RBAC Architecture

  • Network Isolation

    Default Deny NetworkPolicies that prevent tenants from discovering or accessing each other's pods.

    Network Security

The Split-Controller Model

To achieve secure multi-tenancy, the Operator splits responsibilities between two distinct controllers:

  1. The Provisioner:

    • Scope: Cluster-wide.
    • Power: Can create Roles/RoleBindings but cannot read Secrets or manage Workloads.
    • Role: The "Landlord" who hands out keys but can't enter apartments.

  2. The Controller:

    • Scope: Namespace-restricted (per tenant).
    • Power: Can manage Workloads/Secrets but only in namespaces where the Provisioner issued a key.
    • Role: The "Tenant" who manages their own apartment.

See Also