1. Release Notes
    1. Release Notes - 2.0.2Latest
    1. Release Notes - 2.0.1
    1. Release Notes - 2.0.0
  1. Introduction
    1. Introduction
    1. Features
    1. Architecture
    1. Advantages
    1. Glossary
  1. Installation
    1. Intruction
      1. Intro
      2. Port Requirements
    1. Install on Linux
      1. All-in-One Installation
      2. Multi-Node Installation
      3. Installing HA Master and Etcd Cluster
      4. Storage Configuration Instruction
    1. Install on Kubernetes
      1. Prerequisites
      2. Online Installation
      3. Offline Installation
    1. Related Tools
      1. Integrating Harbor Registry
    1. Cluster Operation
      1. Adding New Nodes
      2. High Risk Operation
      3. Uninstalling KubeSphere
  1. Quick Start
    1. Getting Started with Multitenancy
    1. Exposing your APP using Ingress
    1. Deploying a MySQL Application
    1. Deploying a Wordpress Website
    1. Job to compute π to 2000 places
    1. Deploying Grafana using APP Template
    1. Creating Horizontal Pod Autoscaler
    1. S2i: Publish your app without Dockerfile
    1. Canary Release of Microservice APP
    1. CI/CD based on Spring Boot Project
    1. Building a Pipeline in a Graphical Panel
    1. CI/CD based on GitLab and Harbor
    1. Ingress-Nginx for Grayscale Release
  1. Cluster Admin Guide
    1. Multi-tenant Management
      1. Overview of Multi-tenant Management
      2. Overview of Role Management
    1. Platform Management
      1. Account Management
      2. Platform Roles Management
    1. Infrastructure
      1. Service Components
      2. Nodes
      3. Storage Classes
    1. Monitoring Center
      1. Physical Resources
      2. Application Resources
    1. Application Repository
    1. Jenkins System Settings
  1. User Guide
    1. Application Template
    1. Workloads
      1. Deployments
      2. StatefulSets
      3. DaemonSets
      4. Jobs
      5. CronJobs
    1. Storage
      1. Volumes
    1. Network & Services
      1. Services
      2. Routes
    1. Configuration Center
      1. Secret
      2. ConfigMap
      3. Image Registry
    1. Project Settings
      1. Basic Information
      2. Member Roles
      3. Project Members
      4. Internet Access
    1. DevOps Project
      1. DevOps Project Management
      2. DevOps Project Management
      3. DevOps Project Management
      4. DevOps Project Management
      5. DevOps Project Management
  1. Development Guide
    1. Preparing the Development Environment
    1. Development Workflow
  1. API Documentation
    1. API Guide
    1. How to invoke KubeSphere API
KubeSphere®️ 2020 All Rights Reserved.

Overview of Multi-tenant Management

The core of multi-tenancy is to allocate the authority relationship between different users and resources. For the container management platform, the main resources are computing resources, storage resources and network resources, which are also the key object resources of KubeSphere multi-tenany.

In the KubeSphere multi-tenancy system, resources are divided into three levels:

  • Cluster
  • Workspace
  • Project and DevOps project

Resources at different levels can be flexibly customized to divide users' permission scope, which is used to achieve resource isolation between different users.


Authority Management Model

Common permission management models include ACL, DAC, MAC, RBAC and ABAC. In KubeSphere, we make use of the RBAC authority management model to control users' authority. Users don't need to directly associate with resources, but carry out authority control through role definition.

Resource Hierarchy


Clustering refers to the current Kubernetes cluster, which provides computing, storage, and network resources for tenants. workspaces can be created under a cluster.


Under a cluster, you can create workspaces to manage different projects in groups. Projects and DevOps projects can be created in workspaces.

Projects and DevOps projects

Projects, DevOps projects are the minimum level of version permission management, consuming the resources of the cluster to deploy and build applications.

Multi-level Permission Control

Cluster permission control

Cluster roles define user control over cluster resources, such as nodes, monitoring, accounts, and so on.

Workspaces permission control

The workspaces role defines the user's control authority over projects and projects in the workspaces and the management authority of workspaces members.

Project and project permission control

Creators of projects and projects can share their projects with other users by inviting members, giving different members different roles and differentiating permissions.

IAM Architecture

IAM architecture


In familiar and understand the resource hierarchy, permissions management way, to taichung every level administrators and ordinary users, understand the meaning of each grade of concrete members and roles, how to better management platform, the role of members and is the key links of actual use, please continue to refer to the role authorization overview.