SkillRepo
Sign InSign Up
Catalog
google/gke-multitenancy

google

gke-multitenancy

Plans and configures multi-tenancy on GKE. Covers namespace isolation, RBAC planning for teams, resource quotas, LimitRanges, network isolation, and cost allocation. Use when designing GKE multi-tenancy, configuring GKE namespaces, setting up resource quotas, or isolating GKE teams. Don't use for single-tenant cluster configuration or general deployment instructions (use gke-basics or gke-app-onboarding instead).

global
New~1.3k
v1.0Saved Jun 24, 2026

GKE Multi-Tenancy

This reference covers enterprise multi-tenancy patterns on GKE, including namespace isolation, RBAC planning, resource quotas, and network segmentation.

MCP Tools: apply_k8s_manifest, get_k8s_resource, check_k8s_auth, describe_k8s_resource, delete_k8s_resource

When to Use

  • Multiple teams sharing a single GKE cluster
  • Isolating workloads by environment (dev/staging/prod) within one cluster
  • Implementing least-privilege access control
  • Cost allocation across teams or projects

Multi-Tenancy Models

Model Isolation Complexity Cost
Namespace-per-team Soft (RBAC + Low Lowest (shared
: : Network : : cluster) :
: : Policy) : : :
Namespace-per-environment Soft Low Low
Node pool-per-team Medium Medium Medium
: : (dedicated : : :
: : compute) : : :
Cluster-per-team Hard (full High Highest
: : isolation) : : :

Golden path recommendation: Start with namespace-per-team for cost efficiency. Escalate to stronger isolation only when compliance requires it.

Namespace Isolation Setup

1. Create Namespaces

kubectl create namespace team-a
kubectl create namespace team-b
kubectl label namespace team-a team=a
kubectl label namespace team-b team=b

2. RBAC Configuration

Principle: Grant minimal permissions per namespace. Never bind to system:authenticated.

# Namespace-scoped role for a team
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: team-a-developer
  namespace: team-a
rules:
- apiGroups: ["", "apps", "batch"]
  resources: ["pods", "deployments", "services", "configmaps", "jobs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: team-a-developers
  namespace: team-a
subjects:
- kind: Group
  name: "team-a@example.com"  # Google Group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: team-a-developer
  apiGroup: rbac.authorization.k8s.io

RBAC best practices: Use Google Groups for subject bindings. Prefer namespace-scoped Roles over ClusterRoles. See the gke-security skill for full RBAC hardening guidance.

3. Resource Quotas

Prevent any single team from consuming all cluster resources:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: team-a-quota
  namespace: team-a
spec:
  hard:
    requests.cpu: "10"
    requests.memory: "20Gi"
    limits.cpu: "20"
    limits.memory: "40Gi"
    pods: "50"
    services: "10"
    persistentvolumeclaims: "10"

4. LimitRanges

Set default and maximum resource constraints per container:

apiVersion: v1
kind: LimitRange
metadata:
  name: team-a-limits
  namespace: team-a
spec:
  limits:
  - type: Container
    default:
      cpu: "500m"
      memory: "512Mi"
    defaultRequest:
      cpu: "100m"
      memory: "128Mi"
    max:
      cpu: "4"
      memory: "8Gi"

[!IMPORTANT] Mandatory Defaults: When defining min or max limits in a LimitRange, you must also define corresponding default and defaultRequest values. If you set a min or max without defaults, any pod deployed without explicit resource requests/limits will be rejected by the admission controller.

5. Network Isolation

Apply default-deny per namespace (see the gke-security skill), then allow intra-team traffic:

# Allow same-namespace pods to talk + DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: team-a
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector: {}
  egress:
  - to:
    - podSelector: {}
  - to:  # Allow DNS
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53

Cost Allocation

Labels for Cost Attribution

# Label namespaces for billing
kubectl label namespace team-a cost-center=engineering
kubectl label namespace team-b cost-center=data-science

GKE Cost Allocation

Enable GKE cost allocation to break down costs by namespace and label:

gcloud container clusters update <CLUSTER_NAME> --region <REGION> \
  --enable-cost-allocation

View in Cloud Billing > GKE Cost Allocation.

Files1
1 files · 11.1 KB

Select a file to preview

Overall Score

88/100

Grade

A

Excellent

Safety

92

Quality

87

Clarity

86

Completeness

85

Summary

This skill provides enterprise-grade guidance for implementing multi-tenancy on GKE, covering namespace isolation, RBAC configuration, resource quotas, LimitRanges, network policies, and cost allocation. It uses MCP tools to help agents plan and configure isolation patterns for teams sharing a single cluster.

Detected Capabilities

apply Kubernetes manifestsread Kubernetes resourcescheck cluster authenticationdescribe Kubernetes resourcesdelete Kubernetes resourceslabel namespacesconfigure gcloud CLIplan resource allocation

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

multi-tenant gke setupgke namespace isolationkubernetes rbac planninggke resource quotasgke cost allocationteam isolation kubernetes

Risk Signals

INFO

Referenced external domain (www.apache.org) in LICENSE file only

LICENSE
INFO

No credential access, secrets exposure, or destructive operations detected

SKILL.md
INFO

All Kubernetes manifest examples are well-scoped to namespaces with explicit resource constraints

SKILL.md sections 3-4

Referenced Domains

External domains referenced in skill content, detected by static analysis.

www.apache.org

Use Cases

  • Design multi-tenant GKE clusters for shared workloads across teams
  • Implement namespace isolation with RBAC and network policies
  • Configure resource quotas and limits to prevent resource starvation
  • Set up cost attribution and billing breakdowns by team or environment
  • Scale from single-tenant to soft isolation (namespace-per-team) patterns
  • Plan stronger isolation (node pools, dedicated clusters) when compliance requires it

Quality Notes

  • Excellent scope documentation: clearly defines when to use (multi-tenant scenarios) and when NOT to use (single-tenant, general deployment)
  • Strong architectural guidance: multi-tenancy model comparison table with isolation level, complexity, and cost tradeoffs helps teams choose the right approach
  • Mandatory defaults callout for LimitRanges prevents a common Kubernetes configuration error that would reject pod deployments
  • RBAC best practices are explicit: use Google Groups, namespace-scoped Roles, minimal permissions—connects to companion `gke-security` skill for deeper hardening
  • Clear progression from namespace creation through RBAC, resource quotas, limits, and network policies creates a complete setup workflow
  • Cost allocation section includes both labeling strategy and gcloud command to enable billing integration
  • All Kubernetes manifests follow best practices: explicit namespaces, least-privilege rules, readable formatting
  • References to companion skills (`gke-security`, `gke-basics`, `gke-app-onboarding`) help users understand the broader ecosystem and avoid duplication
Model: claude-haiku-4-5-20251001Analyzed: Jun 24, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add google/gke-multitenancy to your library

Get Started Free

Command Palette

Search for a command to run...

google/gke-multitenancy | SkillRepo