Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-shared-control-plane-isolated-data-plane.md

1.3 KiB

Pattern: Shared Control Plane, Isolated Data Plane

Status: seed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform Genesis family: Tenant isolation

Problem

Platforms often need centralized management while tenant workloads and data require stronger separation than the control plane itself.

Context

Use this pattern for SaaS management planes, tenant runtime clusters, dedicated object storage, per-tenant databases, or cell-based data planes.

Forces

  • Shared control planes reduce management overhead.
  • Tenant data planes need stronger isolation and blast-radius control.
  • Control-plane actions are high impact and must be tenant scoped.
  • Audit must explain who affected which tenant data plane.

Solution

Keep management APIs and policy orchestration in a shared control plane, but isolate tenant runtime and data paths. Every control action carries tenant, target plane, actor, policy, and audit context.

Verification

  • Tenant users cannot mutate global control-plane state unless delegated.
  • Data-plane credentials and network paths are tenant scoped.
  • Control-plane actions produce tenant and target-plane audit events.
  • A compromised tenant data plane cannot directly control another.
  • Tenant Isolation.
  • Cluster-per-Tenant.
  • Cell-based Architecture.
  • Tenant Data Partitioning.