Applying isolation

Choose an isolation level and verify the boundary it creates.

Isolation in tenantplane is explicit: an IsolationProfile compiles into concrete host objects you can inspect. This guide shows how to pick a level and verify what it produced.

Choose a level

Render a profile at the level you want and apply it:

tenantplane render isolationprofile restricted --level restricted | kubectl apply -f -

Available levels: baseline, restricted (default), and sandboxed. See the concept page for the full comparison.

Reference it from a tenant

spec:
  isolationProfileRef:
    name: restricted

Verify the boundary

After the tenant reconciles, inspect the objects the profile produced in the tenant’s namespace:

# Default-deny network policy (restricted / sandboxed)
kubectl -n team-dev get networkpolicy tenantplane-default-deny -o yaml

# Resource quota, sized from the TenantCluster's resources
kubectl -n team-dev get resourcequota tenantplane-quota

# Per-container defaults
kubectl -n team-dev get limitrange tenantplane-defaults

# Pod Security Admission labels
kubectl get namespace team-dev -o jsonpath='{.metadata.labels}' | tr ',' '\n' | grep pod-security

How the control plane stays reachable

A default-deny NetworkPolicy would normally cut off the tenant’s own API server. tenantplane labels its control-plane pods with tenantplane.io/isolation-exempt: "true", and the generated policy excludes exactly those pods — so isolation applies to workloads without breaking the control plane.

Drift correction

Isolation objects are reconciled on every pass. If someone edits the NetworkPolicy or deletes the LimitRange, the next reconcile restores it to match the profile.


Found a gap? Open an issue or PR.