Multi-tenancy isolation based on namespaces

[ghost]

Hi All,

I have a question about isolation of tenancies.

I am trying to achieve an isolation based on namespaces. So the X-Scope-OrgID header will be set to the name of the namespace. Then Prometheus is sending this header with the scraped data to Cortex.

A small overview of our current infrastructure:

We have multiple K8-clusters:

• management
• test
• dev
• prod

On the management cluster on which Cortex will land, we deployed all the apps which are supporting and managing the other clusters. On management we also get all the metrics data from the various exporters running on the other clusters. In addition we have a Grafana pod running on our management cluster on which our customers can login and see metric data.

And there is our problem, customers can see also metrics from all the namespaces, not only their own namespace. Since we deploy customers in their own namespace.

I have read that the X-Scope-OrgID header can be used to achieve multi-tenancy isolation. So, I want to to implement a solution that customers can only see data for their own namespace.

I have already tested it and getting it working with multiple prometheus servers (Too simulate multiple tenants), but still see all the metrics from all namespaces, which is not our intention. We want to be able to use a single Prometheus in our management cluster.

So our main goal is to achieve isolation based on namespaces and not on cluster level. So, in Grafana you set the X-Scope-OrgID to the name of the namespace and then you'll see only the metric data for apps running in that namespace.

Is this possible with Thanos in combination with Thanos Proxy (https://github.com/IBM/ibm-grafana-ocpthanos-proxy)?