Multi-Tenancy
Enterprise feature: Multi-tenancy requires a valid license key. In personal mode, all requests use the
"default"tenant.
Logical isolation and resource quotas in fungi-tenancy (11 tests).
Features
| Feature | Purpose |
|---|---|
| Tenant Namespaces | Logical isolation of pipelines and resources |
| Resource Quotas | Per-tenant limits on pipelines, throughput, state, topics |
| Tenant Context | Automatic tenant extraction from request headers |
Logical isolation — single binary, separate namespaces. For physical isolation, deploy one Fungi instance per tenant in a K8s namespace.
Configuration
tenancy:
enabled: true
default_tenant: "default"
tenants:
team-a:
name: "Team Alpha"
quotas:
max_pipelines: 10
max_throughput_mbps: 100
max_state_size_gb: 10
max_topics: 20
team-b:
name: "Team Beta"
quotas:
max_pipelines: 5
max_throughput_mbps: 50
max_state_size_gb: 5
max_topics: 10
Tenant Context
Pass tenant via header or CLI flag:
curl -H "X-Tenant-ID: team-a" http://localhost:8080/api/jobs
fungi --tenant team-a job list
Scope a pipeline to a tenant:
name: team-a-pipeline
tenant: team-a
source:
connector: kafka
bootstrap_servers: 127.0.0.1:9092
topic: team-a-events
Quotas
| Quota | Default | Description |
|---|---|---|
max_pipelines | 10 | Max pipelines per tenant |
max_throughput_mbps | 100 | Max aggregate throughput |
max_state_size_gb | 10 | Max state store size |
max_topics | 20 | Max Kafka topics |
Quota breach → 429 Too Many Requests.
Audit per Tenant
Audit log entries include tenant:
{ "timestamp": "...", "tenant": "team-a", "user": "alice", "action": "pipeline:run" }
Best Practices
- One tenant per team / product line
- Start with conservative quotas; raise on demand
- Combine with RBAC for fine-grained control
- For hard isolation, deploy one Fungi per tenant in separate K8s namespaces