问题描述

我们要运行一个多租户方案，该方案要求在网络级别隔离租户.

We want to run a multi-tenant scenario that requires tenant separation on a network level.

这个想法是，每个租户都会收到一个专用节点和其他租户节点可以加入的专用网络.租户节点应该能够在该网络中相互交互.

The idea is that every tenant receives a dedicated node and a dedicated network that other tenants nodes can join. Tenant nodes should be able to interact with each other in that network.

网络不应该能够互相交谈(真正的网络隔离).

Networks should not be able to talk with each other (true network isolation).

有没有实现这一目标的架构模式?

Are there any architectural patterns to achieve this?

• 每个租户一个Kubernetes集群吗?
• 所有租户有一个Kubernetes集群，每个租户有一个子网吗?
• 一个跨VPC的Kubernetes集群(用AWS术语来讲)?

推荐答案

在kubernetes内部处理多租户的常规方法是使用名称空间.但这是在kube群集中，这意味着您仍然拥有所有租户共享的相同基础网络解决方案.实际上，这很好，因为您可以网络策略来限制网络连接在集群中.

The regular way to deal with multi-tenancy inside kubernetes is to use namespaces. But this is within a kube cluster, meaning you still have the same underlying networking solution shared by all tenants. That is actualy fine, as you have Network Policies to restrict networking in the cluster.

您显然可以为每个租户运行自治集群，但这并不是完全多租户的，而是多个集群.可以在节点级别上配置网络以按预期的方式进行路由，但是仍然存在跨集群服务发现等问题.联合会对此有所帮助，但我仍然建议您采用命名空间+策略方法.

You can obviously run autonomous clusters per tenant, yet this is not exactly multi-tenancy then, just multiple clusters. Networking can be configured on node level to route as expected, but you'd still be left with an issue of cross-cluster service discovery etc. Federation can help a bit with that, but I would still advise to chase Namespaces+Policies approach.

这篇关于在网络级别使用Kubernetes进行租户隔离的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！