mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
23 lines
1.6 KiB
Plaintext
23 lines
1.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/container_security/security-platform.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="security-platform-multi-tenancy_{context}"]
|
|
= Isolating containers with multitenancy
|
|
|
|
Multitenancy allows applications on an {product-title} cluster that are owned by multiple users, and run across multiple hosts and namespaces,
|
|
to remain isolated from each other and from outside attacks. You obtain multitenancy by applying role-based access control (RBAC)
|
|
to Kubernetes namespaces.
|
|
|
|
In Kubernetes, _namespaces_ are areas where applications can run in ways that are separate from other applications. {product-title} uses and extends namespaces by adding extra annotations, including MCS labeling in SELinux, and identifying these extended namespaces as _projects_. Within the scope of a project, users can maintain their own cluster resources, including service accounts, policies, constraints, and various other objects.
|
|
|
|
RBAC objects are assigned to projects to authorize selected users to have access to those projects. That authorization takes the form of rules, roles, and bindings:
|
|
|
|
* Rules define what a user can create or access in a project.
|
|
* Roles are collections of rules that you can bind to selected users or groups.
|
|
* Bindings define the association between users or groups and roles.
|
|
|
|
Local RBAC roles and bindings attach a user or group to a particular project. Cluster RBAC can attach cluster-wide roles and bindings
|
|
to all projects in a cluster. There are default cluster roles that can be assigned to provide `admin`, `basic-user`, `cluster-admin`, and `cluster-status` access.
|