I’ve given a talk with @yoshiat (PM, Google Kubernetes Engine) at Google Cloud Next‘18 about Kubernetes Multi-Tenancy Best Practices in San Francisco last month!

You can watch the recording and look at the slides.

Most of the talk was adopted from David Oppenheimer’s KubeCon EU 2018 talk and curated for Google Kubernetes Engine-specific features.

In this talk we talked about:

  • Software Trust Modes
  • What is Multi-tenancy?
  • Clusters vs Namespaces as Trust Boundary
  • Why not cluster-per-tenant?
  • Multi-tenancy use cases
    • Enterprise (all users/teams from the same company)
    • Software as a Service (like Wordpress.com)
    • Kubernetes as a Service (cluster as a hosting platform)
  • GKE/Kubernetes Primitives for multi-tenancy
    • Auth-related features
      • Kubernetes RBAC
      • GKE/GCP IAM
      • Admission Controls
      • Extending Admission Controls
      • Pod Security Policy
      • Network Policy
    • Scheduling-related features
      • Pod Priority/Preemption
      • Resource Quotas
      • Limit Ranges
      • Pod Anti-affinity (sole-tenant nodes)
      • Dedicated nodes (taints/tolerations)
      • Sandboxed Pods & gVisor
  • Policy Management at Scale with GKE Policy Management
  • Limitation of Kubernetes Multi-tenancy Today
  • Participating the community.