updates to multitenancy guidance

kaysieyu · kaysieyu · commit f380cd6c689f · 2024-02-23T12:33:21.000-08:00
diff --git a/articles/aks/best-practices-cost.md b/articles/aks/best-practices-cost.md
@@ -35,8 +35,12 @@ It's important to evaluate the resource requirements of your application prior t
 Picking the right VM SKU, regions, number of nodes, and other configuration options can be difficult upfront. [Cluster preset configurations](./quotas-skus-regions.md#cluster-configuration-presets-in-the-azure-portal) in the Azure portal offloads this initial challenge by providing recommended configurations for different application environments that are cost-conscious and performant. The **Dev/Test** preset is best for developing new workloads or testing existing workloads. The **Production Economy** preset is best for serving production traffic in a cost-conscious way if your workloads can tolerate interruptions. Noncritical features are off by default and the preset values can be modified at any time.
 
 ### Consider multitenancy
-Clusters and infrastructure can be shared across many teams and business units within an organization, each of whom may operate one or many workloads. Shared infrastructure reduces cluster management overhead while also improving resource utilization and cluster binpacking. This has direct cost saving implications. To learn more about multitenancy on AKS and to determine if it's right for your organizational needs, see [AKS considerations for multitenancy](/azure/architecture/guide/multitenant/service/aks).
+AKS offer flexibility in how you run multitenant clusters and isolate resources. For friendly multitenancy, clusters and infrastructure can be shared across teams and business units through [_logical isolation_](./operator-best-practices-cluster-isolation.md#logically-isolated-clusters). Kubernetes Namespaces form the logical isolation boundary for workloads and resources. Sharing infrastructure reduces cluster management overhead while also improving resource utilization and pod density within the cluster. To learn more about multitenancy on AKS and to determine if it's right for your organizational needs, see [AKS considerations for multitenancy](/azure/architecture/guide/multitenant/service/aks) and [Design clusters for multitenancy](./operator-best-practices-cluster-isolation.md#design-clusters-for-multi-tenancy).
 
+> [!WARNING]
+> Kubernetes environments aren't entirely safe for hostile multitenancy. If any tenant on the shared infrastructure can't be trusted, additional planning is needed to prevent tenants from impacting the security of other services.
+> 
+> Consider [_physical isolation_](./operator-best-practices-cluster-isolation.md#physically-isolated-clusters) boundaries. In this model, teams or workloads are assigned to their own cluster. Added management and financial overhead will be a tradeoff. 
 
 ## Build cloud native applications
 
