Skip to content

Flux Multi-Tenancy Quick Fix - Tenant Isolation Config

DodaTech Updated 2026-06-26 1 min read

Flux multi-tenancy isolates teams to specific namespaces with restricted permissions. Incorrect tenant configuration allows cross-namespace access or blocks legitimate operations. This guide covers the fix.

Quick Fix

Wrong

apiVersion: v1
kind: Namespace
metadata:
  name: team-a
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: team-apps
  namespace: team-a

The issue: Kustomization in team-a namespace can apply resources to any namespace by default. No cross-namespace restrictions are enforced.

apiVersion: v1
kind: Namespace
metadata:
  name: team-a
  labels:
    toolkit.fluxcd.io/tenant: team-a
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: team-apps
  namespace: team-a
spec:
  targetNamespace: team-a
  path: ./team-a/
  prune: true
# Expected output after applying the fix
# Kustomization team-apps restricted to team-a namespace
# Resources applied only in team-a namespace
# Other namespaces protected from team-a changes
# Tenant isolation enforced

Prevention

  • Set targetNamespace on Kustomizations to restrict deployment namespace
  • Use namespace labels to identify tenant boundaries
  • Configure Flux controller with --watch-all-namespaces and proper RBAC
  • Use dependsOn with namespace-qualified names for cross-team dependencies
  • Audit namespace access with kubectl auth can-i commands

DodaTech Tools

Doda Browser's tenant dashboard shows namespace isolation and resource distribution. DodaZIP archives multi-tenancy configurations for compliance. Durga Antivirus Pro enforces tenant boundaries.

FAQ

How does Flux enforce multi-tenant isolation?

Flux respects Kubernetes RBAC. The service account used by Flux must have permissions only in the allowed namespaces. Cross-namespace access is controlled by RBAC rules. ||| Can tenants share common infrastructure? Yes, use a shared "infrastructure" Kustomization that runs in a shared namespace, and tenant-specific Kustomizations that target their own namespaces. ||| What is the Flux tenant label convention? Label namespaces with toolkit.fluxcd.io/tenant: <tenant-name> for identification. Flux does not enforce this label but it helps with auditing and organization.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro