PROFESSIONAL-CLOUD-DEVELOPER · Question #114
You are a SaaS provider deploying dedicated blogging software to customers in your Google Kubernetes Engine (GKE) cluster. You want to configure a secure multi-tenant platform to ensure that each cust
The correct answer is B. Deploy a namespace per tenant and use Network Policies in each blog deployment.. Namespaces in Kubernetes provide logical isolation between tenants - each customer's resources live in their own namespace, limiting the scope of their access and RBAC policies. Network Policies enforce L3/L4 traffic rules at the pod level, preventing pods in one tenant's namespa
Question
You are a SaaS provider deploying dedicated blogging software to customers in your Google Kubernetes Engine (GKE) cluster. You want to configure a secure multi-tenant platform to ensure that each customer has access to only their own blog and can't affect the workloads of other customers. What should you do?
Options
- AEnable Application-layer Secrets on the GKE cluster to protect the cluster.
- BDeploy a namespace per tenant and use Network Policies in each blog deployment.
- CUse GKE Audit Logging to identify malicious containers and delete them on discovery.
- DBuild a custom image of the blogging software and use Binary Authorization to prevent untrusted
How the community answered
(37 responses)- A5% (2)
- B84% (31)
- C8% (3)
- D3% (1)
Explanation
Namespaces in Kubernetes provide logical isolation between tenants - each customer's resources live in their own namespace, limiting the scope of their access and RBAC policies. Network Policies enforce L3/L4 traffic rules at the pod level, preventing pods in one tenant's namespace from communicating with pods in another's. Together, namespace-per-tenant and Network Policies are the standard Kubernetes multi-tenancy pattern, addressing both access control and workload isolation. Choice A (Application-layer Secrets Encryption) protects secrets at rest in etcd but does nothing for tenant isolation. Choice C (Audit Logging) is reactive - it detects problems after they happen but doesn't prevent them. Choice D (Binary Authorization) ensures only trusted container images run but doesn't isolate tenants from each other.
Topics
Community Discussion
No community discussion yet for this question.