Three Shades of Isolation: A Multi-tenancy Fortress

Multi-tenancy is a popular architectural concept in cloud native environments. For Kubernetes, it’s concerned with sharing a single cluster resource among multiple users referred to as tenants, while maintaining isolation, security, and performance between them. In this talk, we present a new approach for multi-tenancy isolation that hardening tenant’s boundaries by providing three shades of isolation (i.e., data-plane, control-plane and network) for each tenant in a cost-effective manner using open-source technologies: K3s, KubeFlex/KubeStellar, KubeVirt and UDN/OVN-k8s. Our approach helps to simplify the multi-tenancy management and enforcement strategies for clusters admins. We’ll also dive into the main requirements for multi-tenancy in Kubernetes, survey the most popular models and discuss their challenges, as well as how our approach addresses them. Finally, we’ll demonstrate how to use our framework to isolate workloads, using llm-d and vLLM production stack as case studies.