Namespace Isolation
Each tenant in the MATIH Platform receives a dedicated Kubernetes namespace for its Data Plane services. This namespace provides compute isolation, network boundaries, and resource quota enforcement at the infrastructure level.
Namespace Naming
| Environment | Pattern | Example |
|---|---|---|
| Development | matih-data-plane | Single shared namespace |
| Production | matih-data-plane-{tenant-slug} | matih-data-plane-acme-corp |
Namespace Contents
Each tenant namespace contains:
| Resource Type | Examples |
|---|---|
| Deployments | AI Service, Query Engine, BI Service, and all other Data Plane services |
| Services | Kubernetes Service objects for each deployment |
| Secrets | Database credentials, API keys, TLS certificates |
| ConfigMaps | Service configuration, feature flags |
| NetworkPolicies | Ingress/egress rules for tenant isolation |
| ResourceQuotas | CPU, memory, pod, and storage limits |
| LimitRanges | Default and maximum per-pod resource limits |
| ServiceAccount | Tenant-specific service account with RBAC bindings |
ResourceQuota
Each namespace has a ResourceQuota that prevents resource starvation:
apiVersion: v1
kind: ResourceQuota
metadata:
name: tenant-quota
namespace: matih-data-plane-acme-corp
spec:
hard:
requests.cpu: "4"
requests.memory: 8Gi
limits.cpu: "8"
limits.memory: 16Gi
pods: "50"
services: "20"
persistentvolumeclaims: "10"Quota values are configured per tenant tier (Free, Professional, Enterprise).
LimitRange
Default resource limits for pods within the namespace:
apiVersion: v1
kind: LimitRange
metadata:
name: tenant-limits
namespace: matih-data-plane-acme-corp
spec:
limits:
- type: Container
default:
cpu: 500m
memory: 512Mi
defaultRequest:
cpu: 100m
memory: 256Mi
max:
cpu: "2"
memory: 4GiRBAC
Each tenant namespace has a dedicated ServiceAccount with limited permissions:
| Resource | Permission | Scope |
|---|---|---|
| Pods | get, list | Own namespace only |
| Services | get, list | Own namespace only |
| Secrets | get | Own namespace only |
| ConfigMaps | get, list | Own namespace only |
Cross-namespace access is denied. The tenant ServiceAccount cannot read resources from other tenant namespaces or the Control Plane namespace.
Pod Security
| Control | Policy |
|---|---|
| Run as non-root | Enforced via PodSecurityStandards |
| Read-only root filesystem | Enabled where possible |
| Privilege escalation | Disabled |
| Host network | Disabled |
| Host PID | Disabled |
Related Pages
- Network Isolation -- NetworkPolicy details
- Database Isolation -- Schema-level isolation
- Tenant Context -- Application-level isolation