Use Namespaces to separate tenant workloads

Kubernetes uses namespaces as a logical partitioning system for organizing objects such as Pods and Deployments. Namespaces also operate as a privilege boundary in Kubernetes’ Role-Based Access Control (RBAC) system. For example, Pods created in namespace A do not have access to secrets in namespace B (and vice-versa).

AWS advises customers to assign each tenant to their own unique namespace. When assigning privileges to tenants, ensure each tenant can only access Kubernetes objects in the tenant’s assigned namespace. Customers can automate this assignment by enabling a mutating admission webhook that requires a tenant-specific label on all customer-related objects and ensures the objects are placed in the tenant’s namespace.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Do not provide direct access to Kubernetes or EKS APIs

Restrict container privileges