# Tenant Namespaces Template # More granular than Azure with custom resource limits per tenant tier # NOTE: This is a template file. Placeholders (TENANT_ID_PLACEHOLDER, TENANT_TIER_PLACEHOLDER) # should be replaced by automation when creating actual tenant namespaces. # Use the tenant namespace automation script or controller to process this template. apiVersion: v1 kind: Namespace metadata: name: tenant-template labels: name: tenant-template tenant-id: "TENANT_ID_PLACEHOLDER" # Replace with actual tenant ID tenant-tier: "TENANT_TIER_PLACEHOLDER" # Replace with actual tier (FREE, STANDARD, ENTERPRISE, SOVEREIGN) managed-by: sankofa-phoenix --- # Resource Quota - More granular than Azure apiVersion: v1 kind: ResourceQuota metadata: name: tenant-quota namespace: tenant-template spec: hard: requests.cpu: "100" # Adjust based on tenant tier requests.memory: 512Gi limits.cpu: "200" limits.memory: 1Ti persistentvolumeclaims: "50" services.loadbalancers: "10" services.nodeports: "20" count/deployments.apps: "100" count/statefulsets.apps: "50" --- # Limit Range - Per-container limits apiVersion: v1 kind: LimitRange metadata: name: tenant-limits namespace: tenant-template spec: limits: - default: cpu: "2" memory: 4Gi defaultRequest: cpu: "500m" memory: 1Gi type: Container - max: cpu: "8" memory: 16Gi min: cpu: "100m" memory: 128Mi type: Container --- # Network Policy - Tenant isolation apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tenant-isolation namespace: tenant-template spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: tenant-id: "TENANT_ID_PLACEHOLDER" - namespaceSelector: matchLabels: name: system egress: - to: - namespaceSelector: matchLabels: tenant-id: "TENANT_ID_PLACEHOLDER" - namespaceSelector: matchLabels: name: system - namespaceSelector: matchLabels: name: monitoring egress: - to: [] # Allow DNS and external ports: - protocol: UDP port: 53 - protocol: TCP port: 443