homelab/traefik
1
0
Fork 0
Code Activity

Improve the K8S multi-tenancy security note

Browse source
This commit is contained in:
Nicolas Mengin 2025-12-19 08:20:04 -05:00 committed by GitHub
parent 023adeff12
commit e6b9f14022
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 13 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

17
docs/content/security/tls-certs-in-multi-tenant-kubernetes.md → docs/content/security/multi-tenant-kubernetes.md
View file

@ -1,13 +1,20 @@
--- ---
title: "TLS Certificates in MultiTenant Kubernetes" title: "Traefik in Multi-Tenant Kubernetes Clusterss"
description: "Isolate TLS certificates in multitenant clusters by keeping Secrets and routes in the same namespace and disabling crossnamespace lookups in Traefik. Read the technical guidelines." description: "Traefik is not recommended for multi-tenant Kubernetes clusters due to TLS certificate management and broader isolation, traffic, and security concerns. Read the technical guidelines."
--- ---
# TLS Certificates in MultiTenant Kubernetes # Traefik in Multi-Tenant Kubernetes Clusters
In a shared cluster, different teams can create `Ingress` or `IngressRoute` objects that Traefik consumes. Traefik is primarily designed as a cluster-wide ingress controller. For this reason, when using the Kubernetes `Ingress` or `IngressRoute` specifications, **it is not recommended to use Traefik in multi-tenant Kubernetes clusters**, where multiple teams or tenants share the same cluster.
Traefik does not support multi-tenancy when using the Kubernetes `Ingress` or `IngressRoute` specifications due to the way TLS certificate management is handled. The main reasons include:
* **Resource visibility and isolation**: Traefik requires cluster-level permissions and watches resources across namespaces. Misconfigurations in one tenants resources may affect others.
* **Shared CRDs**: Advanced configuration resources, like Middleware or TLSOptions, are cluster-scoped. Conflicting definitions can impact multiple tenants.
* **Traffic and availability risks**: Routing rules, middleware, or heavy traffic from one tenant can interfere with others, affecting reliability and performance.
* **Observability and privacy**: Logs, metrics, and traces are shared by default, which may expose sensitive information across tenants.
## TLS Certificates Management
At the core of this limitation is the TLS Store, which holds all the TLS certificates used by Traefik. At the core of this limitation is the TLS Store, which holds all the TLS certificates used by Traefik.
As this Store is global in Traefik, it is shared across all namespaces, meaning any `Ingress` or `IngressRoute` in the cluster can potentially reference or affect TLS configurations intended for other tenants. As this Store is global in Traefik, it is shared across all namespaces, meaning any `Ingress` or `IngressRoute` in the cluster can potentially reference or affect TLS configurations intended for other tenants.

2
docs/mkdocs.yml
View file

@ -360,7 +360,7 @@ nav:
- 'Security': - 'Security':
- 'Request Path': 'security/request-path.md' - 'Request Path': 'security/request-path.md'
- 'Content-Length': 'security/content-length.md' - 'Content-Length': 'security/content-length.md'
- 'TLS in Multi-Tenant Kubernetes': 'security/tls-certs-in-multi-tenant-kubernetes.md' - 'Multi-Tenant Kubernetes': 'security/multi-tenant-kubernetes.md'
- 'Deprecation Notices': - 'Deprecation Notices':
- 'Releases': 'deprecation/releases.md' - 'Releases': 'deprecation/releases.md'
- 'Features': 'deprecation/features.md' - 'Features': 'deprecation/features.md'