Skip to main content

Multi Tenancy

Mission Control provides sophisticated access control mechanisms for complex deployment scenarios, particularly in Software-as-a-Service (SaaS) environments where multiple tenants or organizations share the same infrastructure. Two key features enable fine-grained access control in these scenarios: Agent-based permissions and Tag-based permissions.

Agent based permission

Mission Control often acts as a central hub receiving data from multiple agents deployed across different environments. Each agent pushes its own set of resources, including catalogs and topologies, to the central Mission Control instance. While all these resources are accessible through a unified UI portal, organizations frequently need to restrict user access to specific agent-sourced data. Agent-based ABAC addresses this requirement by allowing administrators to create permissions that reference specific agents. For example, you might have:

  • Development teams that should only access resources from their development environment agents
  • Regional teams that should only see resources from agents in their geographic location
  • Client-specific teams that should only interact with agents deployed in their infrastructure
agent-based-permission.yaml
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/flanksource/mission-control/refs/heads/main/config/schemas/permission.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: demo-agent-access-to-john
spec:
  description: allow user john access to all resources push by demo agent
  subject:
    person: john@doe.com
  actions:
    - read
  object: {}
  agents:
    - 019449d5-71bd-de63-a191-c23e77b07819 # id of the demo agent

Tag based permission

Tag-based permissions provide another layer of access control granularity by allowing administrators to restrict access based on resource tags. This approach is particularly powerful for managing access in multi-cluster Kubernetes environments. Tags can represent various attributes such as:

  • Environment (production, staging, development)
  • Geographic region (us-east, eu-west, asia-pacific)
  • Business unit (finance, marketing, operations)
  • Client identifier (client-a, client-b)
  • Clusters
tag-based-permission.yaml
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/flanksource/mission-control/refs/heads/main/config/schemas/permission.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: demo-cluster-access-to-john
spec:
  description: allow user john access to all resources in demo cluster
  subject:
    person: john@doe.com
  actions:
    - read
  object: {}
  tags:
    cluster: demo
info

Tag-based and agent-based permissions can be combined to create sophisticated access control policies that precisely match organizational requirements and security boundaries.