Multi-Tenancy

Fleet runs upstream on a manager cluster and deploys workloads downstream by impersonating a ServiceAccount on each target cluster. Tenant isolation is the question of who decides which ServiceAccount a tenant’s workloads run as, and which permissions that account holds on the downstream cluster.

Fleet answers this by drawing a clear line:

The upstream enforcement mechanism is the Policy custom resource.

A Policy lives in the same namespace as the tenant’s GitRepo, HelmOp, and Bundle resources. It carries the operator’s restrictions:

If a tenant submits a resource that violates the active Policy, the resource’s status reports the violation and no deployment proceeds. If the resource is missing a value that the Policy provides as a default, the default is applied before validation runs.

For the full field reference, see Policy Resource.

When a GitRepo, HelmOp, or Bundle deploys downstream, the Fleet agent impersonates the named ServiceAccount on the downstream cluster. The Fleet manager does not create that ServiceAccount for you — it must already exist before the deployment runs.

This is by design. The whole point of pinning a tenant to a ServiceAccount is that the downstream cluster’s RBAC on that account is the source of truth for what the tenant may do. If Fleet created the account itself, the downstream cluster would no longer be the authority — Fleet would be.

In practice, the operator is responsible for creating the ServiceAccount (plus its Role / RoleBinding) on every downstream cluster a tenant will deploy to. The Tenant Setup guide describes how to bootstrap and maintain these resources using Fleet itself — typically via a Fleet-manager-owned GitRepo from a privileged upstream namespace that targets all relevant downstream clusters.

If a tenant’s resource names a ServiceAccount that does not exist on the downstream cluster, the deployment fails with a clear error.

Policy has no field that restricts which downstream namespaces a tenant may deploy to. This is intentional: namespace restrictions are the responsibility of the downstream cluster’s RBAC on the tenant’s ServiceAccount, not of Fleet.

If a tenant should only be able to write to namespaces app-1 and app-2 on a downstream cluster, the operator expresses this as a Role granting the relevant verbs on those namespaces, bound to the tenant’s ServiceAccount. There is nothing for Policy to add — the deployment will succeed or fail based on whether the ServiceAccount has the required RBAC, which is the same outcome any other actor would observe.

Splitting the responsibility this way means downstream RBAC remains the single source of truth for downstream authority. Fleet’s job is to make sure the right ServiceAccount is used; the permissions of that ServiceAccount are the operator’s job to set.

The Policy resource declares requireServiceAccount as a distinct field rather than inferring the requirement from the presence of a default and an allow-list. The declarative form is preferred for two reasons:

The GitRepoRestriction custom resource predates Policy and is deprecated. It will be removed in a future release. Do not use it for security-sensitive setups: its repo patterns are matched unanchored, meaning a pattern like github.com/myorg also matches a URL such as https://evil.com/?ref=github.com/myorg. It also has no coverage of HelmOp or Bundle resources, so a tenant who can create those resources bypasses GitRepoRestriction entirely. Policy covers what GitRepoRestriction did for GitRepo and extends the same model to HelmOp and Bundle, with anchored regex patterns and a clearer separation between upstream enforcement and downstream authority.

Operators migrating an existing setup should follow Migration from GitRepoRestriction in the Tenant Setup guide.