Skip to content

Workspace isolation

Each workspace (tenant) is a separate Kubernetes cluster with its own Postgres, Convex backend, HashiCorp Vault, Zitadel identity plane, workflow engine file store, and persistent volumes. There is no shared database or secret store across workspaces on a host. Cluster-per-tenant is the primary segregation boundary for data, credentials, and compute.

LayerIsolation primitivePer workspace?Notes
Control planeSeparate k3d (k3s) cluster and API serverYesKubernetes API bound to localhost; not publicly reachable
ComputeSeparate Deployments and PodsYesFlow, platform-api, workflow-engine, convex-backend
DataSeparate Postgres, Convex backend, PVCsYesNo shared database; volumes on encrypted host storage
SecretsSeparate in-cluster Vault (KV fontana)YesSeeded in-cluster; no shared secrets across tenants
NetworkPer-cluster NetworkPolicy default-denyYesScoped egress per workload
IdentitySelf-hosted Zitadel per workspaceYesSSO, MFA, and RBAC scoped to the tenant
Ingress and TLSHost edge terminates TLS per hostnameYesCertificate per workspace subdomain (ACME)
Kernel and container runtimeShared host kernel and Docker daemonSharedSoft multi-tenancy boundary (see below)

Cluster-per-tenant delivers strong control-plane, RBAC, secret, and network isolation. Workspaces on the same physical host still share one Linux kernel and one container runtime, so a container escape or kernel vulnerability could theoretically affect other tenants on that box. Fontana treats this as soft multi-tenancy.

Mitigations on shared hosts include NetworkPolicy default-deny, Pod Security baseline, per-workspace Vault paths, image vulnerability scanning, and no cross-tenant secret access.

When your risk model requires hard isolation, deploy a dedicated host with a single workspace (or fewer tenants). The mechanism is the same; the blast radius is smaller because no other tenant workloads share the kernel.

A platform cluster on each host runs shared edge and stateless services: welcome gateway routing, HyperDX/OTLP collection, Gatus health probes, Docling document parsing, and OpenSandbox code execution for agent MCP tooling.

The platform cluster does not hold workspace databases, Vault secrets, or workflow datasets. Workspace clusters remain the data and secrets boundary.

Two platform services are intentionally shared across tenants. Fontana documents compensating controls for each:

ServiceWhy sharedPrimary controls
OpenSandbox MCPOne sandbox control plane per hostPer-tenant bearer auth (ForwardAuth), proxy enforces sandbox ownership fail-closed, digest-pinned base image, sandbox egress restricted to DNS
DoclingStateless PDF and office parsingNo public hostname; only workflow-engine may call the internal bridge; no durable cross-tenant store

These exceptions affect sandbox execution and in-flight document parsing only. They do not expose one workspace’s database, Vault, or workflow file store to another.

  • Blast radius - a compromise or misconfiguration in one workspace does not grant access to another cluster’s data plane through normal application paths.
  • Evidence - segregation claims map to separate clusters, Vault instances, and PVCs you can inspect during diligence.
  • Graduation path - regulated workloads that outgrow soft multi-tenancy move to a dedicated host without changing the product topology.