AdvancedTechnical
5 min
Securing Multi-Tenant Kubernetes Namespaces
KubernetesSecurityMulti-Tenancy
Advertisement
Interview Question
Design a secure multi-tenant Kubernetes setup. How do you isolate workloads and enforce policy across namespaces?
Key Points to Cover
- Use network policies, resource quotas, and limit ranges per namespace
- Apply Pod Security Standards and admission controls
- Separate service accounts and least-privilege RBAC per tenant
- Restrict egress with egress gateways or eBPF-based policy
- Audit policies via OPA/Gatekeeper and CI checks
Evaluation Rubric
Implements strong tenant isolation35% weight
Applies least-privilege access control25% weight
Enforces ingress/egress/networking policy20% weight
Enables policy governance and audit20% weight
Hints
- 💡Consider separate clusters for hard isolation.
Common Pitfalls to Avoid
- ⚠️Insufficient network policy definition, leading to unintended inter-tenant communication.
- ⚠️Overly permissive RBAC configurations or shared service accounts, allowing unauthorized access.
- ⚠️Neglecting to set comprehensive ResourceQuotas and LimitRanges, resulting in resource contention or denial of service.
- ⚠️Inconsistent application of Pod Security Standards across all namespaces and workloads.
- ⚠️Lack of clear data isolation strategies, potentially exposing sensitive tenant data.
Potential Follow-up Questions
- ❓How to shard tenants across clusters?
- ❓How do you handle noisy neighbors?
Advertisement