mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
36 lines
1.6 KiB
Plaintext
36 lines
1.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/container_security/security-platform.adoc
|
|
|
|
[id="security-platform-multi-tenancy_{context}"]
|
|
= Isolating containers with multitenancy
|
|
|
|
Multitenancy allows applications on an {product-title} cluster that are owned
|
|
by multiple users, and run across multiple hosts and namespaces,
|
|
to remain isolated from each other and from outside attacks.
|
|
You obtain multitenancy by applying role-based access control (RBAC)
|
|
to Kubernetes namespaces.
|
|
|
|
In Kubernetes, _namespaces_ are areas where applications can run
|
|
in ways that are separate from other applications.
|
|
{product-title} uses and extends namespaces by adding extra
|
|
annotations, including MCS labeling in SELinux, and identifying
|
|
these extended namespaces as _projects_. Within the scope of
|
|
a project, users can maintain their own cluster resources,
|
|
including service accounts, policies, constraints,
|
|
and various other objects.
|
|
|
|
RBAC objects are assigned to projects to authorize selected users
|
|
to have access to those projects. That authorization takes the form
|
|
of rules, roles, and bindings:
|
|
|
|
* Rules define what a user can create or access in a project.
|
|
* Roles are collections of rules that you can bind to selected users or groups.
|
|
* Bindings define the association between users or groups and roles.
|
|
|
|
Local RBAC roles and bindings attach a user or group to a
|
|
particular project. Cluster RBAC can attach cluster-wide roles and bindings
|
|
to all projects in a cluster. There are default
|
|
cluster roles that can be assigned to provide `admin`, `basic-user`, `cluster-admin`,
|
|
and `cluster-status` access.
|