MATIH Platform is in active MVP development. Documentation reflects current implementation status.
3. Security & Multi-Tenancy
multi-tenancy
Resource Isolation

Resource Isolation

Resource isolation prevents one tenant from consuming excessive cluster resources and starving other tenants. The MATIH Platform enforces resource isolation through Kubernetes ResourceQuotas, LimitRanges, and priority classes, ensuring fair resource distribution across all tenants.

ResourceQuota Enforcement

Each tenant namespace has a ResourceQuota that sets hard limits on the total resources available:

ResourceDescriptionEnforcement Point
requests.cpuTotal CPU requested by all podsKubernetes scheduler
requests.memoryTotal memory requested by all podsKubernetes scheduler
limits.cpuMaximum CPU limit across all podsKubernetes scheduler
limits.memoryMaximum memory limit across all podsKubernetes scheduler
podsMaximum number of podsKubernetes API server
servicesMaximum number of servicesKubernetes API server
persistentvolumeclaimsMaximum storage claimsKubernetes API server

When a tenant's namespace reaches its quota, new pod creation is rejected until resources are freed.

Quota Configuration by Tier

ResourceFreeProfessionalEnterprise
CPU requests2 cores8 coresCustom
Memory requests4Gi16GiCustom
CPU limits4 cores16 coresCustom
Memory limits8Gi32GiCustom
Pods2050Custom
Services1020Custom
PVCs510Custom

Enterprise tenants can request custom quotas based on their workload requirements and SLA agreements.

LimitRange

LimitRanges provide default resource limits for individual containers and pods:

apiVersion: v1
kind: LimitRange
metadata:
  name: tenant-limits
spec:
  limits:
    - type: Container
      default:
        cpu: 500m
        memory: 512Mi
      defaultRequest:
        cpu: 100m
        memory: 256Mi
      max:
        cpu: "2"
        memory: 4Gi
      min:
        cpu: 50m
        memory: 64Mi
SettingPurpose
defaultApplied when a container does not specify limits
defaultRequestApplied when a container does not specify requests
maxMaximum allowed per container
minMinimum required per container

Priority Classes

The platform uses Kubernetes PriorityClasses to ensure critical services are scheduled first:

Priority ClassPriority ValueServices
platform-critical1000000Control Plane services
tenant-high100000Core Data Plane services (ai, query-engine)
tenant-normal10000Other Data Plane services
tenant-low1000Background jobs, batch processing

When the cluster is under resource pressure, lower-priority pods are preempted to make room for higher-priority pods.

Resource Monitoring

MetricSourceAlert Threshold
CPU utilization per namespacePrometheus container_cpu_usage_seconds_total80% of quota
Memory utilization per namespacePrometheus container_memory_working_set_bytes85% of quota
Pod count per namespacePrometheus kube_pod_info90% of quota
Quota exhaustion eventsKubernetes eventsAny rejection

Capacity Planning

Resource quota values are derived from the tenant tier and observed workload patterns:

Workload FactorImpact on Quota
Number of active usersMore users = more concurrent requests = higher CPU
AI query volumeAI inference is CPU/memory intensive
Dashboard countMore dashboards = more concurrent queries
ML training jobsTraining requires burst compute capacity
Data volumeLarger datasets require more memory for query processing

Quota Escalation

When a tenant consistently hits their quota limits:

StepAction
1Billing service detects quota pressure via metrics
2Notification sent to tenant admin
3Tenant admin requests tier upgrade
4Platform admin approves and adjusts quota
5ResourceQuota updated in namespace (no restart required)

Burst Handling

For Enterprise tenants, the platform supports burst capacity:

FeatureDescription
Burst CPUAllow short-term CPU usage above quota (Kubernetes limits vs requests)
Auto-scalingHorizontal Pod Autoscaler within quota bounds
Queue-based overflowAI and ML requests queued when at capacity

Related Pages

Namespace IsolationRBAC Model