Flux Multi-Tenancy Quick Fix - Tenant Isolation Config
DodaTech
Updated 2026-06-26
1 min read
Flux multi-tenancy isolates teams to specific namespaces with restricted permissions. Incorrect tenant configuration allows cross-namespace access or blocks legitimate operations. This guide covers the fix.
Quick Fix
Wrong
apiVersion: v1
kind: Namespace
metadata:
name: team-a
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: team-apps
namespace: team-a
The issue: Kustomization in team-a namespace can apply resources to any namespace by default. No cross-namespace restrictions are enforced.
Right
apiVersion: v1
kind: Namespace
metadata:
name: team-a
labels:
toolkit.fluxcd.io/tenant: team-a
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: team-apps
namespace: team-a
spec:
targetNamespace: team-a
path: ./team-a/
prune: true
# Expected output after applying the fix
# Kustomization team-apps restricted to team-a namespace
# Resources applied only in team-a namespace
# Other namespaces protected from team-a changes
# Tenant isolation enforced
Prevention
- Set
targetNamespaceon Kustomizations to restrict deployment namespace - Use namespace labels to identify tenant boundaries
- Configure Flux controller with
--watch-all-namespacesand proper RBAC - Use
dependsOnwith namespace-qualified names for cross-team dependencies - Audit namespace access with
kubectl auth can-icommands
DodaTech Tools
Doda Browser's tenant dashboard shows namespace isolation and resource distribution. DodaZIP archives multi-tenancy configurations for compliance. Durga Antivirus Pro enforces tenant boundaries.
FAQ
← Previous
Flux Kustomize Prune Quick Fix - Resource Pruning
Next →
Flux Notification Alert Quick Fix - Alert Configuration
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro