CtrlK
BlogDocsLog inGet started
Tessl Logo

nitinjain999/platform-skills

Production-grade platform engineering handbook — Kubernetes, Terraform, Flux CD, GitHub Actions, AWS, and more.

67

Quality

84%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

README.mdexamples/fluxcd/multi-tenant/

Multi-Tenant Flux Repository

Status: Beta

A GitOps repository pattern for multiple teams sharing a single cluster, with RBAC and network isolation per tenant.

Pattern

Each tenant gets:

  • A dedicated namespace
  • A ServiceAccount scoped to that namespace
  • A Kustomization running as that ServiceAccount (limits blast radius)
  • NetworkPolicy default-deny + allow-same-namespace

The platform team owns the cluster bootstrap and tenant onboarding. Tenant teams push to their own source repositories.

Directory structure

multi-tenant/
├── clusters/
│   └── production/
│       ├── platform.yaml        # Kustomization for ClusterRole + NetworkPolicy
│       └── tenants.yaml         # Kustomization pointing to tenants/ (dependsOn: platform)
├── tenants/
│   └── team-a/
│       ├── namespace.yaml
│       ├── serviceaccount.yaml  # Created in flux-system namespace
│       ├── rolebinding.yaml
│       ├── gitrepository.yaml
│       └── kustomization.yaml
└── platform/
    ├── kustomization.yaml       # Kustomize config listing rbac + network-policy
    ├── rbac/
    │   └── tenant-role.yaml     # ClusterRole with namespace-scoped permissions
    └── network-policy/
        └── default-deny.yaml    # Default-deny + allow-same-namespace per tenant

Key patterns

Tenant isolation via serviceAccountName

# tenants/team-a/kustomization.yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: team-a
  namespace: flux-system
spec:
  interval: 10m
  prune: true
  wait: true
  timeout: 5m
  serviceAccountName: team-a          # runs as team-a SA — limits to team-a namespace
  sourceRef:
    kind: GitRepository
    name: team-a-app
  path: ./deploy

No cross-namespace references

Tenant Kustomizations must not reference resources in other tenant namespaces. Use spec.targetNamespace to enforce.

Tenant onboarding

To add a new tenant, copy tenants/team-a/ to tenants/<new-team>/, update namespace and names, and commit. Flux will create the namespace, RBAC, and source reconciliation automatically.

Prerequisites

  • Flux CD 2.x or Flux Operator with FluxInstance
  • flux CLI installed
  • kubectl with cluster-admin access for initial setup

Bootstrap

# Bootstrap Flux (or apply FluxInstance if using Flux Operator)
flux bootstrap github \
  --owner=my-org \
  --repository=platform-gitops \
  --branch=main \
  --path=./clusters/production

# Verify tenants are reconciling
flux get kustomizations -n flux-system | grep team-

Troubleshooting

# Check a tenant's Kustomization status
flux get kustomization team-a -n flux-system

# Check RBAC — is the ServiceAccount missing permissions?
# SA is in flux-system namespace, not the tenant namespace
kubectl auth can-i create deployments \
  --as=system:serviceaccount:flux-system:team-a -n team-a

# Check NetworkPolicy is not blocking cross-namespace traffic unexpectedly
kubectl describe networkpolicy -n team-a

examples

fluxcd

multi-tenant

README.md

README.md

BEFORE_AFTER.md

CHANGELOG.md

CODE_OF_CONDUCT.md

COMMANDS.md

CONTRIBUTING.md

EDITOR_INTEGRATIONS.md

GETTING_STARTED.md

HOW_IT_WORKS.md

install.sh

INSTALLATION.md

LAUNCH.md

PROMPTS.md

QUICKSTART.md

README.md

renovate.json

SECURITY.md

SKILL.md

tessl.json

tile.json