Alauda Container Platform

Introduction

TOC

Product Introduction

ACP API Refiner is a data filtering service provided by the Alauda Container Platform that enhances multi-tenant security and data isolation in Kubernetes environments. It filters Kubernetes API response data based on user permissions, projects, clusters, and namespaces, while also supporting field-level filtering, inclusion, and data desensitization.

Product Advantages

The core advantages of ACP API Refiner are as follows:

  • Multi-dimensional Data Isolation

    • Supports filtering API responses based on project, cluster, and namespace dimensions
    • Ensures proper data boundaries between different tenants
    • Prevents unauthorized access to cluster-scoped resources

  • Flexible Data Filtering

    • Supports excluding, including, and desensitizing specific fields in API responses
    • Configurable filtering rules through YAML configuration
    • Dynamic generation of resource Ingress for different resource types

  • Enhanced Security

    • Implements JWT token-based user authentication
    • Provides fine-grained access control based on user permissions
    • Supports data desensitization for sensitive information

Scenarios

The main application scenarios of ACP API Refiner are as follows:

  • Multi-tenant Environment

    • Ensures proper data isolation between different tenants
    • Prevents unauthorized access to cluster-scoped resources
    • Manages shared namespace scenarios effectively

  • Sensitive Data Protection

    • Filters sensitive information from API responses
    • Supports field-level data desensitization
    • Protects sensitive metadata and annotations

  • Compliance Requirements

    • Helps meet data isolation requirements
    • Supports audit and compliance needs
    • Maintains data access boundaries

Limitations

The following limitations apply to ACP API Refiner:

  • Resources must contain specific tenant-related labels for data isolation:

    • cpaas.io/project
    • cpaas.io/cluster
    • cpaas.io/namespace
    • kubernetes.io/metadata.name
    • Optional: cpaas.io/creator

  • LabelSelector queries do not support logical OR operations

  • Platform-level userbindings are not filtered

  • Filtering is only applied to GET and LIST API operations