Multi-tenancy in PMK


Regions, Tenants and Cloud Providers are key multi-tenancy concepts in PMK. They are used to provide logical separation and grouping of your cloud resources. Following sections describe each of them and their relationship to each other.

The following diagram describes the tenancy model and the relationship between regions, tenants, cloud providers and users. Read the following sections for a detailed understanding of each.

Multi-tenancy in PMK Overview diagram


A region in PMK is a logical construct used for grouping of resources. We recommend mapping a PMK region to a site that represents a geographical location for your organization. This site might contain a private data center or co-location hosting physical servers and other resources that you may want to use to create your Kubernetes clusters from. The users at this site may also wish to utilize local regions from one or more public clouds for additional burstable capacity. We recommend aggregating all these resources under a single PMK region construct.

For example, a Palo Alto region for an organization might consist of one or more PMK clusters created on physical machines located in the Palo Alto data center for that organization, as well as some PMK clusters created on the US-west regions of Amazon AWS public cloud. These clusters will then be used by self-service users of the organization that are located in their Palo Alto offices. The same organization might create another PMK region called WDC to map resources in their Washington DC site, and provide access to this region to the self-service users located in their WDC offices.


A tenant is a core unit of multi-tenancy within PMK. We recommend mapping a tenant to a single team in a business unit of an organization. A PMK environment can have multiple tenants. A tenant can map to one or more PMK regions.

When a new PMK account is deployed, it gets a default tenant called “service” tenant in a default region.

We recommend mapping a tenant to a team or a portion of your organization. For example, you can create a Development tenant to map to your development team, and a QA tenant to map to your QA team.

A tenant fully owns clusters and cloud providers created by an Administrator within that tenant. These resources can not be shared across tenants or regions.

Once an administrator creates a tenant, he can then map one or more users or groups to be part of that tenant.

Cloud Providers

Within a tenant, an Administrator can create one or more cloud providers to that can then be used to create clusters on private data center or public cloud. A cloud provider is owned by a tenant and can not be shared between tenants or regions.

See What Is a Cloud Provider for more info on cloud providers.