Get Started
Overview¶
This self-paced guide helps explore the platform’s capabilities for provisioning and managing isolated Kubernetes namespaces on shared, multi-tenant clusters using the Namespace as a Service template from the template catalog.
Why Use Templates for Namespace as a Service?¶
Templates simplify the provisioning and management of Kubernetes namespaces by offering pre-configured, customizable IaC. These templates:
- Ensure consistency and reduce the time required to set up isolated namespaces
- Enable organization administrators to enforce governance while allowing teams the flexibility to customize resource quotas
- Streamline workflows such as user onboarding, RBAC configuration, and namespace quota management
- Improve collaboration and operational efficiency on shared, multi-tenant Kubernetes clusters
Prerequisites¶
Before proceeding, ensure the following:
- Access to a shared Kubernetes cluster within your Rafay project where namespaces can be provisioned
- Appropriate RBAC permissions to request and manage namespaces using templates
- The Namespace as a Service template is published and available in the project’s template catalog
- A valid Rafay API Key for authenticating with the Rafay controller. Follow these instructions to generate an API key
- The host cluster where the NaaS template is deployed must use a Custom Blueprint based on the
default
blueprint and have OPA Gatekeeper enabledNote: This is required when Org/PaaS Admins enable the "Network Policy" input variable. The solution uses OPA Gatekeeper to enforce the generated network policy if this option is selected.
- (Optional) Custom resource quota values if you intend to override the default settings during namespace provisioning
What This Template Will Do¶
By using this template, the following actions will be automated:
- Create a Kubernetes Namespace: A new namespace will be provisioned in the designated cluster using the specified environment name.
- Apply Default Resource Quotas: The namespace will be configured with predefined CPU and memory limits to ensure fair resource allocation.
- Set Up RBAC for Namespace Administration: A new group will be created with Namespace Admin privileges specific to the provisioned namespace.
- Grant User Access: The requesting user will automatically be added to the new RBAC group for full administrative access.
This template enables rapid, consistent provisioning of isolated Kubernetes namespaces on shared, multi-tenant clusters with minimal manual setup.
Part 1: Select and Share the Template¶
This section guides you on selecting and sharing the Namespace as a Service
template with a project.
Step 1: Create a Project¶
- Navigate to the Home
Your Projects
section - Click Create a New Project and name it
namespace-as-a-service-project
for this guide
Step 2: Select and Share the Template¶
- As an Org Admin, go to Template Catalog
- Select the Namespace as a Service template and click Get Started
- Provide the following details:
- A unique name for the shared template
- A version name (e.g.,
1.0
) - Select the project to share the template with (e.g.,
namespace-as-a-service-project
) and click Continue
The platform redirects you to the Environment Template page under the selected project (namespace-as-a-service-project
)
- Go to Agents and configure the required Agent to drive the workflow. Select the Agent from the dropdown list. If no Agents are shown, the Agent may need to be set up (refer to the prerequisites)
Part 2: Launch the Template to Create a Namespace as a Service¶
Configuration Customization¶
-
Customize and templatize all Namespace as a Service configurations using input variables, including:
-
Cluster and Namespace Settings:
- Target cluster and associated project
- Namespace name, labels, and annotations
- Preset or custom resource quotas for CPU and memory
- Network policy settings and allowed namespaces
-
Access Control and Authentication:
- Host server and authentication details (client certificate, key, and CA data)
- Option to provide full kubeconfig content for access automation
-
-
Restrict user edits for specific variables by:
- Setting overrides to Not Allowed to prevent changes at launch time
- Providing default values to enforce consistency across namespace provisioning requests
- Save the template as a Draft to allow ongoing edits until the configuration is finalized. Once all changes are complete, set it as an Active Version to freeze the version. Learn more about version management.
Refer to the Input Variables for more details on these configuration parameters.
Part 3: Launch the Template¶
Launch the template within the same project or share it with other projects for end-user access.
- Go to the Environments section within the
namespace-as-a-service-project
project or the shared project - The shared template will be listed and ready for use
- Click Launch
- Provide only the configuration options exposed to the template consumer
- All other configurations are pre-configured and set as override: Not Allowed to ensure a simple and streamlined experience for the end user
Deleting/Destroying the Namespace¶
- Navigate to the environment where the namespace was created
- Click Destroy and confirm the action by selecting Yes
- This action will delete the namespace along with any associated resources managed as part of the namespace lifecycle
Conclusion¶
By following these steps, you have successfully:
- Selected and shared the template for Namespace as a Service
- Used the template to manage the lifecycle of the namespace
These templates streamline the provisioning and management of namespaces, enforce organizational policies, and provide flexibility for workload-specific requirements.