The Kubernetes Tenant Operator is a specialized controller designed for a multi-tenant Kubernetes-based web hosting Platform as a Service (PaaS). It streamlines the management of tenants by automating the provisioning and de-provisioning of their dedicated namespaces.
This operator introduces a Tenant Custom Resource Definition (CRD), which represents a single tenant on the platform. When a new Tenant resource is created, the operator's controller springs into action, creating a unique namespace for that tenant. This namespace is appropriately labeled to identify the tenant and enable further configurations, such as Istio sidecar injection.
Conversely, when a Tenant resource is deleted, the operator ensures a clean teardown by removing the corresponding namespace and all its associated resources. This is managed gracefully through the use of a finalizer, preventing the Tenant resource from being fully deleted until its namespace has been successfully removed.
- Automated Namespace Provisioning: Automatically creates a dedicated namespace for each new
Tenantcustom resource. - Tenant-Specific Labeling: Applies labels to tenant namespaces for easy identification and policy enforcement, including:
istio-injectionkleff.io/tenant-usernamekleff.io/tenant-plan
- Graceful Deletion with Finalizers: Utilizes a finalizer (
kleff.io/namespace-finalizer) to ensure that a tenant's namespace is deleted before theTenantresource is removed from the cluster. - Status Conditions: Updates the
statusof theTenantresource with conditions likeNamespaceReadyandTenantReadyto reflect the state of the provisioning process.
The core of the Tenant Operator is the Tenant custom resource. Below is an example of a Tenant resource definition:
apiVersion: kleff.kleff.io/v1
kind: Tenant
metadata:
name: example-tenant
spec:
plan: "basic"
userId: "user-12345"
username: "exampleuser"This operator is designed to be extensible. Future versions will deepen tenant isolation and automate more aspects of the PaaS environment:
- OPA Gatekeeper Integration: Automatically apply custom security and governance policies to each tenant's namespace to enforce rules like trusted image registries or pod security standards.
- Automated Istio Configuration: Generate tenant-specific Istio resources, such as
GatewaysandAuthorizationPolicies, to manage ingress traffic and secure service-to-service communication within the mesh. - Dynamic Resource Management: Create
ResourceQuotaandLimitRangeobjects based on the tenant's selectedplanto ensure fair resource allocation and maintain cluster stability.