OpenShift's default OVN-Kubernetes and standard Kubernetes NetworkPolicies only enforce Layer 3/4 controls, leaving a gap when tenants need access to shared services but should be restricted from sensitive endpoints. Isovalent Networking for Kubernetes (Cilium) fills this gap by enabling Layer 7 policy enforcement directly in the CNI using eBPF and an embedded Envoy proxy — no sidecars or API gateways required. The post walks through a practical three-namespace multitenant scenario (tenant-a, tenant-b, shared-services), showing how CiliumNetworkPolicy can restrict HTTP methods and paths (e.g., allowing GET /api/ but blocking /admin/), and how CiliumClusterwideNetworkPolicy lets platform admins enforce non-overridable cluster-wide security baselines that tenants cannot bypass.
Table of contents
OpenShift Projects and MultitenancyWhen NetworkPolicies Aren’t EnoughEnforcing Layer 7 Policy with CiliumMaking Policy Non-OptionalControl Without CompromiseSummarySort: