Skip to content

feat: Multi-tenant support with namespace isolation #8

Open
Open
feat: Multi-tenant support with namespace isolation#8
Labels
enhancementNew feature or requestkubernetesKubernetes relatedmulti-tenancyMulti-tenant featuresv0.3Version 0.3 features
Milestone
v0.3.0
@initcron

Description

@initcron
initcron
opened on Dec 17, 2025

Summary

Implement multi-tenant support allowing multiple teams/organizations to share a gateway with proper isolation.

Parent Epic

Part of #1 - Production Kubernetes & Container Support

Use Cases

  • Platform teams providing MCP gateway as a service
  • SaaS deployments with customer isolation
  • Enterprise multi-team environments
  • Development/staging/production separation

Architecture

┌──────────────────────────────────────────────────────────┐
│                    MCP Gateway                            │
├──────────────────────────────────────────────────────────┤
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐       │
│  │  Tenant A   │  │  Tenant B   │  │  Tenant C   │       │
│  │  (team-a)   │  │  (team-b)   │  │  (team-c)   │       │
│  ├─────────────┤  ├─────────────┤  ├─────────────┤       │
│  │ namespace:  │  │ namespace:  │  │ namespace:  │       │
│  │ mcp-team-a  │  │ mcp-team-b  │  │ mcp-team-c  │       │
│  │ catalog:    │  │ catalog:    │  │ catalog:    │       │
│  │ team-a.yaml │  │ team-b.yaml │  │ team-c.yaml │       │
│  │ quota: 5 srv│  │ quota: 10srv│  │ quota: 3 srv│       │
│  └─────────────┘  └─────────────┘  └─────────────┘       │
└──────────────────────────────────────────────────────────┘

Tenant Configuration

# tenants.yaml
tenants:
  - id: team-a
    display_name: Team Alpha
    namespace: mcp-team-a
    catalog_file: catalogs/team-a.yaml
    api_keys:
      - key_hash: "sha256:abc123..."
        name: "production"
      - key_hash: "sha256:def456..."
        name: "development"
    quotas:
      max_servers: 5
      max_concurrent_requests: 100
    
  - id: team-b
    display_name: Team Beta
    namespace: mcp-team-b
    catalog_file: catalogs/team-b.yaml
    api_keys:
      - key_hash: "sha256:xyz789..."
    quotas:
      max_servers: 10

API Changes

Tenant Identification

# Via header
X-Tenant-ID: team-a

# Via path prefix
GET /tenant/team-a/servers

# Via API key (automatic lookup)
Authorization: Bearer <team-a-api-key>

Tenant-Scoped Endpoints

GET    /tenant/{tenant_id}/servers
POST   /tenant/{tenant_id}/servers/{server_id}/mcp
GET    /tenant/{tenant_id}/metrics

Features Required

  • Tenant configuration file (tenants.yaml)
  • Per-tenant catalogs
  • Per-tenant API keys with hashed storage
  • Namespace isolation for K8s runtimes
  • Resource quotas per tenant
  • Tenant-scoped metrics
  • Hot reload of tenant configuration

Acceptance Criteria

  • Multiple tenants can be configured
  • Each tenant sees only their servers
  • API keys map to specific tenants
  • K8s resources created in tenant namespace
  • Quotas are enforced
  • Metrics are labeled by tenant

Security Considerations

  • API keys stored as secure hashes
  • Namespace RBAC prevents cross-tenant access
  • Rate limiting per tenant
  • Audit logging of tenant actions

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestkubernetesKubernetes relatedmulti-tenancyMulti-tenant featuresv0.3Version 0.3 features

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions