googlecloudplatform/gke-multi-tenancy
skills/gke-multi-tenancy/SKILL.md
Guidance on implementing multi-tenancy and governance in Google Kubernetes Engine (GKE) clusters.
$ install --global
skillsauthnpx skillsauth add googlecloudplatform/gke-mcp gke-multi-tenancyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 7:36 AM25.0s1 file scanned
SKILL.md
- name:
- gke-multi-tenancy
- description:
- Guidance on implementing multi-tenancy and governance in Google Kubernetes Engine (GKE) clusters.
GKE Multi-tenancy and Governance
This skill provides guidance on implementing multi-tenancy and governance in Google Kubernetes Engine (GKE) clusters.
Overview
Multi-tenancy allows you to share a single GKE cluster among multiple teams or applications securely. Governance ensures that policies and resource limits are enforced.
Workflows
1. Create Namespaces for Isolation
Namespaces provide a scope for names and are the primary unit of isolation in Kubernetes.
Steps:
- Create a namespace for each tenant.
Example Namespace Manifest:
apiVersion: v1
kind: Namespace
metadata:
name: tenant-a
labels:
team: alpha
2. Configure RBAC for Least Privilege
Role-Based Access Control (RBAC) allows you to control who has access to what resources within a namespace.
Steps:
- Define a
Rolewith specific permissions. - Bind the
Roleto a user or group using aRoleBinding.
Example Role and RoleBinding Manifest:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: tenant-a
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: tenant-a
subjects:
- kind: User
name: [email protected] # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
3. Enforce Resource Quotas
Resource quotas prevent a single tenant from consuming all resources in the cluster.
Example ResourceQuota Manifest:
apiVersion: v1
kind: ResourceQuota
metadata:
name: tenant-a-quota
namespace: tenant-a
spec:
hard:
requests.cpu: "2"
requests.memory: 4Gi
limits.cpu: "4"
limits.memory: 8Gi
Best Practices
- Namespace Per Tenant: Always use separate namespaces for different teams or applications.
- Least Privilege RBAC: Grant only the permissions necessary for users and service accounts to do their jobs.
- Enforce Quotas: Use Resource Quotas to ensure fair sharing of cluster resources.
- Network Policies: Combine namespaces with Network Policies (see gke-workload-security) to restrict cross-tenant traffic.
Related Skills
googlecloudplatform/gke-ai-troubleshooting-jobset-interruption
data-ai
VerifiedTrustedCommunity
Systematically diagnose GKE JobSet interruptions, restarts, and preemptions for AI/ML training workloads. Identifies preemption events, maintenance interruptions, bad host VMs, unhealthy pods, and coordinator worker failures.
161SKILL.mdUpdated Jun 4, 2026
googlecloudplatform/gke-ai-troubleshooting-tpu-connection-failure-vbar-oom
development
VerifiedTrustedCommunity
Diagnose and prevent `vbar_control_agent` segfaults and OOMs caused by race conditions during TPU device resets and frequent metrics collection (e.g. every 3s). Use when TPU slice initialization fails or `vbar_control_agent` crashes on TPU v6e nodes.
161SKILL.mdUpdated May 5, 2026
googlecloudplatform/gke-ai-troubleshooting-skill-creation-guide
development
VerifiedTrustedCommunity
Expert instructions for building high-quality GKE troubleshooting skills. Codifies Step 0 context rules, zero-hallucination signatures, and explicit LQL/PromQL query requirements.
161SKILL.mdUpdated May 2, 2026
googlecloudplatform/gke-productionize
tools
VerifiedTrustedCommunity
Assists in preparing applications and clusters on GKE for production.
148SKILL.mdUpdated Apr 18, 2026