OpenBaoTenant

OpenBaoTenant is the governance and onboarding CRD. It authorizes the Operator to manage OpenBao resources in a target namespace by provisioning tenant-scoped isolation.

It is the key to Multi-Tenancy, ensuring that different teams can safely share a Kubernetes cluster without accessing each other's secrets.

Tenant Isolation Model

When you apply an OpenBaoTenant, the Operator creates a "Sandbox" around the target namespace.

graph TD
    subgraph Namespace ["Tenant Namespace"]
        direction TB
        RBAC["fa:fa-id-badge RBAC RoleBinding"]
        NetPol["fa:fa-shield-halved NetworkPolicy"]
        Quota["fa:fa-chart-pie ResourceQuota"]

        App[["Tenant App"]]

        RBAC -->|Binds| App
        NetPol -->|Isolates| App
        Quota -->|Limits| App
    end

    Op["fa:fa-gears Operator"] -->|Provisions| Namespace

    classDef security fill:transparent,stroke:#dc2626,stroke-width:2px,color:#000;
    class RBAC,NetPol,Quota security;

Features

• Identity & Access

  Automatically provisions Kubernetes RoleBindings to efficienty manage permissions for the Tenant.

• Network Isolation

  Enforces NetworkPolicies to block cross-tenant traffic, ensuring strict isolation between namespaces.

• Resource Quotas

  Applies ResourceQuotas to prevent a single tenant from consuming all cluster storage or compute. Limits are configurable via the OpenBaoTenant spec.

Governance Models

Choose the onboarding model that fits your organization.

• Self-Service

  ---

  Developers create their own OpenBaoTenant in their own namespace.

  Best for: High-trash, low-friction environments.

  Self-Service Guide

• Centralized Admin

  ---

  Platform team creates OpenBaoTenant resources for teams.

  Best for: Strict compliance and audit trails.

  Admin Guide

Next Steps

• Multi-Tenancy Security Guide