// the find
kubewharf/kubezoo
a lightweight kubernetes multi-tenancy gateway
KubeZoo is a gateway that sits in front of a Kubernetes API server and adds multi-tenancy by prefixing tenant IDs into resource names and namespaces, giving each tenant the illusion of cluster ownership without actually running separate control planes. It targets the specific scenario of many small, short-lived tenants (think serverless batch jobs) where spinning up a full cluster per tenant is operationally unreasonable. All tenants share both the control plane and data plane — isolation is view-level, not kernel-level.
The request/response transformation approach in pkg/convert is well-structured — each resource type gets its own converter file with tests, so the tenant prefix logic is auditable and not a single unmaintainable blob. The KAaaS model is genuinely useful for the many-small-tenants case that NaaS/CaaS/CPaaS all handle poorly. ClusterResourceQuota as a separate controller is the right call — it avoids baking quota logic into the proxy path. The documentation is honest about what the project is and is not, including a real FAQ and conformance doc.
Capped at Kubernetes 1.24 and the last commit was mid-2024 — Kubernetes is now at 1.31, so this is already two minor versions behind on a fast-moving API surface, and the project shows no sign of catching up. View-level isolation is real but shallow: a tenant with exec access to a pod is effectively on the shared data plane with other tenants, which makes this unsuitable for anything requiring genuine security boundaries. 719 stars and 57 forks after what appears to be a couple years of development is a thin community signal — adopting this means you are likely carrying it yourself. There are no integration or e2e tests visible in the tree, only unit tests in pkg/convert; for a proxy that rewrites Kubernetes API traffic, that gap is uncomfortable.