Introduction
In Kubernetes, multi-tenancy enables multiple teams or projects to share the same cluster while maintaining isolation and security. However, ensuring proper access control and preventing resource conflicts is a challenge. This guide walks you through setting up a secure multi-tenant environment using Minikube, Namespaces, and RBAC (Role-Based Access Control).
Why Multi-tenancy in Kubernetes?
Isolates workloads for different teams Ensures least-privilege access Prevents unintentional interference between teams Helps organizations optimize resource usage
Step 1: Start Minikube
Before setting up multi-tenancy, ensure Minikube is running:
minikube start --memory=4096 --cpus=2
Step 2: Create Isolated Namespaces
Each team or project should have its own namespace.
kubectl create namespace dev-team
kubectl create namespace qa-team
kubectl create namespace prod-team
You can verify:
kubectl get namespaces
Step 3: Implement Role-Based Access Control (RBAC)
Create a Role for Developers
Developers should only be able to manage resources within their namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: dev-team
name: developer-role
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["create", "get", "list", "delete"]
Apply it:
kubectl apply -f developer-role.yaml
Bind the Role to a User
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: dev-team
name: developer-binding
subjects:
- kind: User
name: alice
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer-role
apiGroup: rbac.authorization.k8s.io
Apply it:
kubectl apply -f developer-binding.yaml
Now, user Alice has access only to dev-team namespace.
Step 4: Enforce Network Isolation (Optional but Recommended)
To ensure teams cannot access resources outside their namespace, create a NetworkPolicy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-access
namespace: dev-team
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector: {}
egress:
- to:
- namespaceSelector:
matchLabels:
name: dev-team
Apply it:
kubectl apply -f restrict-access.yaml
This ensures that pods in dev-team can only communicate within their namespace.
Step 5: Verify Multi-tenancy
- Try creating resources from a different namespace with a restricted user.
- Check access control using kubectl auth can-i.
Example:
kubectl auth can-i create pods --as=alice --namespace=dev-team # Allowed
kubectl auth can-i delete pods --as=alice --namespace=prod-team # Denied
Conclusion
By setting up Namespaces, RBAC, and NetworkPolicies, you have successfully created a secure multi-tenant Kubernetes cluster in Minikube. This setup ensures each team has isolated access to their resources without interference.
Stay tuned for more Kubernetes security insights! 
