skip to Main Content

What are the three tenancy models for Kubernetes?

June 4, 2021 | cloud, DevOps
Read Time: 05:00

Multi-tenancy is frequently in the headlines these days, it is quite a hot topic in the Kubernetes world. Multi-tenancy is a complex concept in the Kubernetes context. In a simpler world, a single-tenant is hosted by all Kubernetes deployments i.e. including just one workload or an application running on the entire Kubernetes environment. However, multi-tenant Kubernetes deployments are very commonly used.

This blog will discuss the concept of Kubernetes multi-tenancy and the three tenancy models for Kubernetes.

What is Multi-Tenancy in Kubernetes?

Multi-tenant Kubernetes is a Kubernetes deployment that enables you to run multiple workloads or applications side-by-side. It allows you to run multiple workloads that belong to different entities while segregating each entity’s workload from the others.

This implies that multiple users or entities share the same cluster as well as the control plane.

Multi-tenancy architecture is common in organizations having multiple applications that run in the same environment or different teams (like developers & IT Ops) sharing the same Kubernetes environment.

The Three Tenancy Models for Kubernetes

Several teams across the organization make use of Kubernetes clusters. Kubernetes multi-tenancy models make operationalizing tenancy-related use cases easier. Let us discuss the three most common tenancy models (as a service) and the related working projects:

  1. Namespaces
    Namespaces-as-a-Service model – Here, a cluster is shared by tenants and there is a restriction to a set of Namespaces on the tenant workloads that is assigned to the tenant. There are multiple control plane resources available across all tenants which include API server & scheduler as well as worker node resources such as memory, CPU, etc.For isolating tenant workloads, each namespace should contain –

    • Role bindings to control access to the namespace
    • Network policies for preventing network traffic across tenants
    • Resource quotas for limiting the usage & ensuring fairness across tenants

This model enables tenants to share cluster-wide resources such as ClusterRoles & CRDs i.e. Custom Resource Definitions. This means that there is no creating or updating the cluster-wide resources.

With the Hierarchical Namespace Controller (HNC) project it is easy to manage namespace-based tenancy as users are allowed to create additional namespaces under a namespace and propagate resources within the namespace hierarchy.

The next project is Multi-Tenancy Benchmarks (MTB) under which benchmarks and a command-line tool are provided for performing several configurations as well as runtime checks. This is to check and report if the tenant namespaces are properly isolated and security control is implanted accordingly.

  1. Clusters
    The Clusters-as-a-Service model provides each tenant with their cluster. In this model, tenants are allowed to have multiple versions or cluster-wide resources like CRDs. Tenants are also provided with full isolation of the Kubernetes control plane.To provision, multiple workload clusters using the management cluster projects like Cluster API (CAPI) are made use of. This involves assigning a workload cluster to a tenant & allowing the tenant to have full control over cluster resources.

    In most organizations, required add-on services are managed by the central platform team. This includes services like security & monitoring. The team also takes care of cluster lifestyle management services, which include patching & upgrading. There are some restrictions on the tenant administrator for modifying these centrally managed services.

  2. Control Planes
    In this variation of the Clusters-as-a-Service model, the tenant cluster might be a virtual cluster, which provides a dedicated Kubernetes control plane to each tenant. However, they have to share worker node resources. When users of the virtual cluster fail to find differences between a virtual cluster & other Kubernetes clusters, it is referred to as CPaaS i.e. Control Planes as a Service.A virtual cluster such as this can share worker node resources as well as workload state independent control plane components. For overlaps, other workload-aware control-plane components are created on a per-tenant basis, such as an API server. For synchronizing & managing states across this per-tenant control plane, additional components are used.

    The Virtual Cluster project is used to implement this model in which multiple virtual clusters share a super-cluster. Further, to extend the work to conform to the CAPI model, the Cluster API Nested project is used. This allows you to provision & manage virtual clusters with the use of familiar API resources.

According to a survey, the production of Kubernetes usage has boosted by over 300% since 2016. As more and more Kubernetes workloads are moving to production, organizations are looking forward to improving their agility and reduce costs by sharing Kubernetes resources across their teams.

Organizations are inclined towards using multiple tenancy models to address different use cases as different product and development teams have different needs.

Final Words

Docker and Kubernetes are shaping the future of business architecture. There is a huge surge in demand for Docker and Kubernetes around the globe and organizations worldwide are wholeheartedly embracing these two major platforms for containers and microservices.

Learn Kubernetes online & upskill yourself
Enroll in Cognixia’s Docker and Kubernetes certification course and upgrade your skillset. Take a step towards shaping your career & future for the better. Get hands-on, live, interactive, instructor-led training with this Kubernetes certification course. In this competitive world, Cognixia is here to provide you with a highly immersive and hands-on online learning experience helping you enhance your knowledge with engaging training sessions and be of immense value to your organization.

This Kubernetes online training will cover basic-to-advanced-level concepts of Docker and Kubernetes. This certification course offers you an opportunity to take advantage of connecting with industry’s expert trainers, develop your competencies to meet industry & organizational standards, as well as learn about real-world best practices.

This Docker & Kubernetes Certification covers the following –

  • Essentials of Docker
  • Overview of Kubernetes
  • Minikube
  • Kubernetes Cluster
  • Overview Kubernetes Pod
  • Kubernetes Client
  • Creating and modifying ConfigMaps and Secrets
  • Replication Controller and Replica Set
  • Deployment
  • DaemonSet
  • Jobs
  • NameSpaces
  • Dashboard
  • Services
  • Exploring the Kubernetes API and Key Metadata
  • Managing Specialized Workloads
  • Volumes and configuration Data
  • Scaling
  • RBAC
  • Monitoring and logging
  • Maintenance and troubleshooting
  • The ecosystem


  • Basic command knowledge of Linux
  • Basic understanding of DevOps
  • Basic knowledge of YAML programming language (beneficial, not mandatory)
Back To Top

Fill in the Details
  • This field is for validation purposes and should be left unchanged.