As organizations adopt Kubernetes as the backbone of their internal developer platforms, security and compliance concerns grow — especially when multiple teams or workloads share the same cluster. Ensuring strong tenant isolation, consistent policy enforcement, and auditable controls becomes essential not just for security, but also for meeting compliance standards like ISO/IEC 27001, SOC 2, and GDPR.

This is where the Stakater Multi-Tenant Operator (MTO) shines.

MTO empowers our platform teams to deliver Kubernetes-as-a-Service with built-in security and compliance guardrails that scale across all tenants — without sacrificing developer velocity.

Why Security & Compliance Matter in Multi-Tenant Kubernetes

In a shared cluster environment, misconfigured access controls, missing audit logs, or lack of network isolation can quickly lead to:

• Data leaks between teams

• Privilege escalation

• Non-compliance with internal and regulatory standards

MTO helps platform teams proactively mitigate these risks using a policy-as-code approach.

1. Namespace-Based Isolation

MTO creates dedicated namespaces for each tenant, keeping them logically isolated. This forms the foundation of security:

• Workloads, secrets, and service accounts are scoped to the tenant’s namespace

• Common metadata and labels help drive policy enforcement

The Tenant CRD is used to declaratively manage this setup

2. RBAC Enforcement

MTO automatically configures namespace-scoped RBAC for every tenant, granting access only to designated users.

• Platform teams define tenant owners and roles

• MTO provisions roles and bindings as part of the tenant setup

• Admins maintain central visibility and control over all permissions

This prevents accidental or malicious cross-tenant access.

3. NetworkPolicies for Traffic Segmentation

To prevent lateral movement between tenants, MTO configures NetworkPolicies for each namespace:

• Deny-all policies by default

• Allow-listing only the necessary communication paths

• Enforced on workload creation and namespace provisioning

This ensures zero-trust network boundaries inside the cluster.

4. Pod Security Standards (PSS) Compliance

MTO supports Kubernetes’ built-in Pod Security Admission (PSA) mechanism:

• Applies labels like pod-security.kubernetes.io/enforce: restricted

• Prevents privileged containers, unsafe hostPaths, and insecure capabilities

• Aligns with industry best practices for workload hardening

This helps us meet container security benchmarks and avoid runtime risks.

5. Resource Quotas and LimitRanges

MTO assigns pre-defined Quota and LimitRange classes to every namespace:

• Prevents noisy neighbor issues

• Enforces fair and predictable resource usage

• Supports auditability for cost and risk assessments

Quotas also help us comply with internal policies for capacity planning.

6. Audit Trails and Logging Integration

MTO integrates with logging stacks like Loki and supports cluster-wide audit logging:

• Tracks tenant provisioning events

• Captures access and policy changes

• Exports logs to external SIEM platforms for compliance evidence

These logs are essential for incident response and SOC 2 audits.

7. Hibernation for Resource Control

MTO supports automatic workload hibernation through sleep/wake schedules:

• Enforces resource policies outside business hours

• Reduces the attack surface of idle services

• Improves cost and compliance posture (especially in test and staging environments)

8. Backup and Recovery with Velero

Data protection is a compliance requirement — and MTO enables namespace-level integration with tools like Velero:

• Automatic backups per tenant namespace

• Custom retention policies

• Tenant-aware recovery flows

This aligns with ISO 27001’s objectives for data availability and resilience.

9. Support for ISO 27001 and SOC 2 Controls

MTO enables the core technical controls required for compliance:

Final Thoughts

Security and compliance should never be an afterthought — especially in multi-tenant Kubernetes environments.

With MTO, we can deliver secure, scalable clusters that align with modern regulatory and internal standards. From fine-grained RBAC to observability and policy enforcement, MTO bakes governance into the platform itself.

Build trust with your security teams. Satisfy auditors with confidence. Scale with Stakater MTO.