Products
Edge AI
AI Training
GPU Cloud
GPU CloudBoost AI/ML training with servers powered by NVIDIA
AI Applications
Image Generator
Image GeneratorCreate realistic and stunning images with ease
Speech-to-Text Translator
Speech-to-Text TranslatorTranslate from English to Luxembourgish seamlessly
Edge Cloud
Compute
Basic VMs
Basic VMsManage workloads on affordable shared virtual servers
Virtual Machines
Virtual MachinesRun apps on customizable dedicated virtual servers
Bare Metal
Bare MetalDeploy apps on powerful dedicated physical servers
Containers
Managed Kubernetes
Managed KubernetesDeploy, manage, and scale Kubernetes clusters easily
Container as a Service
Container as a ServiceRun containerized apps without server provisioning
Function as a Service
Function as a ServiceExecute serverless code functions efficiently
Networking
Load Balancer
Load BalancerRoute traffic optimally to improve app performance
5G Network
5G NetworkDeploy apps and securely connect mobile devices via 5G
Virtual Private Cloud
Virtual Private CloudManage resources in a secure isolated private cloud
Hosting
Virtual Servers
Virtual ServersHost on virtual servers with no traffic restrictions
Dedicated Servers
Dedicated ServersHost on physical servers with worldwide availability
Storage
Object Storage
Object StorageStore data in fast and scalable S3-compatible storage
File Shares
File SharesShare files across servers easily using NFS protocol
Databases
Managed PostgreSQL
Managed PostgreSQLProvision fully managed PostgreSQL databases with ease
Monitoring
Managed Logging
Managed LoggingCollect, store, and analyze application logs
About Edge Cloud
Edge Network
Application Performance
CDN
CDNAccelerate dynamic and static content delivery
FastEdge
FastEdgeDeploy serverless apps with low-latency edge computing
Media Delivery
Video Streaming
Video StreamingDeliver high-quality live and on-demand video at scale
DNS
Managed DNS
Managed DNSEnsure application availability with authoritative DNS
Public DNS
Public DNSProtect online privacy with a free DNS resolver
About Edge Network
Edge Security
Network Security
DDoS Protection
DDoS ProtectionProtect your infrastructure from evolving DDoS attacks
Application Security
Web Application Security
Web Application SecuritySafeguard web resources against attacks and threats
WAAP
WAAPSecure apps and APIs from DDoS, bots and OWASP attacks
Solutions
By Industry
Gaming
CDN for Gaming
Game Server Protection
Game Development
Retail
CDN for E-commerce
Media & Entertainment
CDN for Video
Metaverse Streaming
TV & Online Broadcasters
Sport Broadcasting
Online Events
Financial Services
Cloud for Financial Services
Technology
Image Optimization
Web Acceleration
Wordpress CDN
Education
Online Education
By Need
Web Acceleration
Web Acceleration
Image Optimization
Wordpress CDN
Security
Game Server Protection
Video Streaming
CDN for Video
Video Hosting
Live Streaming
Video Calls
Availability
Multi-CDN
Cloud
Web Service
Game Development
Online Store
Migration to the Cloud
ERP in the Cloud
Pricing
Resources
Resources
Blog
Customer Stories
White Papers
Events
Documentation
Docs
API
Product Roadmap
Help Center
Tools
Looking Glass
Speed Test
Developer Tools
Gcore Status
Partners
Partners
Intel
Intel | New CPU Generation
Intel | Ice Lakes
Hesp
Equinix
InData Labs
Ampere
Unum
Programs
White Label Program
Referral Program
Why Gcore
Company
About Gcore
Press
Awards
Careers
Platform
Network
Infrastructure
Internet Peering Points
Compliance
Legal Information
Under attack?Under attack?
en
Contact usContact us
Contact us

Select the Gcore Platform

Recommended
Gcore Edge Solutions Go to Gcore Platform → Go to Gcore Platform →

Products:

  • Edge Delivery (CDN)
  • DNS with failover
  • Virtual Machines
  • Bare Metal
  • Cloud Load Balancers
  • Managed Kubernetes
  • AI Infrastructure
  • Edge Security (DDOS+WAF)
  • FaaS
  • Streaming
  • Object Storage
  • ImageStack (Optimize and Resize)
  • Edge Compute (Coming soon)
Show full list
Gcore Hosting Go to Gcore Hosting →
  1. Home
  2. Learning
  3. Best Practices for Multitenant SaaS Application Using Gcore Managed Kubernetes

Best Practices for Multitenant SaaS Application Using Gcore Managed Kubernetes

May 3, 2024 4 min read
Best Practices for Multitenant SaaS Application Using Gcore Managed Kubernetes

Many organizations host their software-as-a-service (SaaS) applications on a managed Kubernetes service using multitenant architecture. This architecture isolates computing, network, and storage resources, maintaining workflow security. When using multitenancy, it is important to consider the possible challenges of sharing these resources. Read on to discover the best practices and considerations for multitenant SaaS applications running on Gcore Managed Kubernetes.

What Is Multitenant Architecture?

Multitenant architecture is a design approach that allows multiple groups of users, called tenants, to access an instance of infrastructure. Tenants can be teams or individuals within an organization. This architecture is particularly beneficial for SaaS companies because it helps them scale applications efficiently and cost-effectively. There are two main benefits for it:

  • You share the same infrastructure while maintaining private and secure environments for each tenant.
  • You can focus on specific infrastructure instances or application microservices and apply effort and resources in a targeted manner rather than across the entire infrastructure.

In Kubernetes, infrastructure instances can refer to pod, storage, or network resources. They are usually organized into separate namespaces, which allows an organization to share the same cluster resources while maintaining private and secure environments for each tenant.

Practice 1: Separate Namespaces for Each Tenant

Namespaces are the primary unit of isolation in Kubernetes. Separate namespaces are essential when deploying a multitenant SaaS application, as a single cluster resource is shared among multiple tenants. Kubernetes supports creating a separate namespace for each tenant running the SaaS application, so you don’t need to create different clusters for each tenant. This ultimately results in cost savings on computing resources.

How pods and services are isolated from each other in two different namespaces
Figure 1: You can isolate different K8s resources by namespaces

Practice 2: Setting Resource Quotas on Resource Consumption

A multitenant SaaS application serves multiple tenants, each of which simultaneously accesses the same Kubernetes cluster resources. There may be scenarios where a particular tenant consumes all cluster resources, leaving no resources for other tenants. To avoid such capacity failures, use resource quotas. They allow you to limit the resources that pods or other services hosting your SaaS application can use, ensuring that a particular tenant doesn’t use all the resources.

Here is an example of a resource quota:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: resourceQuotaSetting
  namespace: tenant1
spec:
  hard:
    requests.cpu: "2"
    requests.memory: "1Gi"
    limits.cpu: "4"
    limits.memory: "2Gi"

The manifest guarantees that a container gets at least 2 CPUs but can’t use more than 4. The same logic applies to memory.

Practice 3: Network Isolation Using Network Policies

By default, a Kubernetes cluster allows namespaces to communicate with each other. However, if your SaaS application runs in a multitenant architecture, you may want to avoid this transparency and isolate your namespaces. You can do this by using network policies.

For example, you can use the Calico CNI available in Gcore Managed Kubernetes and assign network policies to pods, as shown below:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: same-namespace
  namespace: tenant-a
spec:
  podSelector:
	matchLabels:
  	app: api
  policyTypes:
  - ingress
  - egress
  ingress:
  - from:
	- namespaceSelector:
    	    matchLabels:
      	 nsname: tenant-a
  egress:
  - to:
	- namespaceSelector:
    	    matchLabels:
      	 nsname: tenant-a

Pods with the app: api label in the tenant-a namespace will only communicate within this namespace and can’t communicate with other namespaces (tenants), achieving network isolation.

If you want to use more detailed and flexible multitenant network policies, we recommend Cilium as a CNI provider, which Gcore Managed Kubernetes also supports. Cilium offers advanced networking features, including L7 policies, high-performance L4 load balancing, and no-sidecar service mesh.

Here is an example of using Cilium to specify allowed ingress traffic that goes to the ns1 namespace:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "k8s-expose-across-namespace"
  namespace: ns1
spec:
  endpointSelector:
    matchLabels:
      name: leia
  ingress:
  - fromEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: ns2
        name: luke

Practice 4: Storage Isolation Using Persistent Volume and Persistent Volume Claim

With Gcore Managed Kubernetes, you can allocate and manage storage for multiple tenants using the persistent volume (PV) and persistent volume claim (PVC) API resources. A PV is a piece of storage provisioned in the cluster, while a PVC is a user’s request for that piece of storage. In our case, a user is a tenant. Since PVC is a namespaced resource, you can easily create isolation of storage among different tenants.

In the example below for tenant1, we’ve configured the PVC with only ReadWriteOnce access mode and 2 Gi of storage space.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-storage
  namespace: tenant1
spec:
  accessModes:
	- ReadWriteOnce
  resources:
	requests:
  	storage: 2Gi

Practice 5: Manage Tenant Placement on Kubernetes Nodes

Kubernetes supports taints and tolerations to manage pod placement on nodes. This ensures pods are not scheduled on inappropriate nodes. Taints applied to nodes indicate that the node should not accept pods that do not tolerate the taints. This lets you decide on which node to run—or not to run—a particular tenant’s pod. On the other hand, you can choose whether pods of different tenants should be on the same or different nodes.

The command below schedules no pods on node 1 until it matches the tolerance arguments, where the key value, client, must be tenant1:

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
  labels:
   env: prod
spec:
  containers:
  - name: ubuntu
	image: ubuntu
	imagePullPolicy: IfNotPresent
tolerations:
  - key: "client"
	operator: "Equal"
	value: "tenant1"
	effect: "NoSchedule"

Gcore Managed Kubernetes

The above methods are available for SaaS applications running on Gcore Managed Kubernetes—try it out if you want a secure, high-performance, and scalable service. In addition to virtual machine-based clusters, we offer bare metal clusters, including worker nodes powered by NVIDIA GPUs for AI/ML workloads. Prices for worker nodes are the same as for our Virtual Machines and Bare Metal servers. We also provide free, production-grade cluster management with a 99.9% SLA for your peace of mind. Our engineers are always ready to help you with any challenge or ambitious project and are happy to share their expertise in multitenant best practices.

Conclusion

You have multiple options for isolating compute, network, and storage resources when running a multitenant SaaS application in Gcore Managed Kubernetes. You can share the same infrastructure with different tenants while maintaining private and secure environments for each of them. Check out these practices and let us know what you think!

Explore Gcore Managed Kubernetes

Table of contents

Try Gcore Cloud

Related articles

The Development of AI Infrastructure: Transitioning from On-Site to the Cloud and Edge
The Development of AI Infrastructure: Transitioning from On-Site to the Cloud and Edge
AI infrastructure—a backbone of modern technology—has undergone a significant transformation. Originally rooted in traditional on-premises setups, it has evolved toward...
April 26, 2024 9 min read
What is Managed Kubernetes
What is Managed Kubernetes
Managed Kubernetes services simplify the complexity of containerized environments, handling the entire lifecycle of Kubernetes clusters for businesses moving towards...
April 24, 2024 6 min read
The Complete Guide to AI Model Cycle
The Complete Guide to AI Model Cycle
In today’s competitive market, many companies are looking to leverage Artificial Intelligence to tailor services perfectly to each customer’s preferences...
April 18, 2024 5 min read
Optimizing Costs for Container-as-a-Service Architectures Using Zero Scaling
Optimizing Costs for Container-as-a-Service Architectures Using Zero Scaling
In container-as-a-service (CaaS) architectures, balancing product performance and cost optimization hinges on eliminating unnecessary cloud expenditure. One method to reduce...
April 16, 2024 6 min read
Comprehensive Guide to Multi-Layered DDoS Protection Strategies
Comprehensive Guide to Multi-Layered DDoS Protection Strategies
Distributed denial-of-service (DDoS) attacks are becoming more sophisticated, employing a multi-pronged approach to overwhelm target systems. These attacks exploit vulnerabilities...
April 11, 2024 6 min read
How to Deploy AI Models at the Edge: Its Challenges and Effective Solutions
How to Deploy AI Models at the Edge: Its Challenges and Effective Solutions
Deploying AI models at the edge brings more innovative solutions closer to where data originates—whether in retail for personalized shopping...
April 10, 2024 4 min read
How to Secure PCI DSS Compliance as a Business Owner
How to Secure PCI DSS Compliance as a Business Owner
Payment Card Industry Data Security Standard (PCI DSS) compliance is a set of mandatory practices for every business that processes credit...
April 3, 2024 7 min read
How to Protect Your APIs from Security Threats
How to Protect Your APIs from Security Threats
In the ever-evolving tech landscape, APIs stand at the forefront, allowing seamless interaction between diverse software platforms. But here’s the...
March 29, 2024 3 min read

Subscribe and discover the newest
updates, news, and features

We value your inbox and are committed to preventing spam