Overview
This system template enables the provisioning of a Kubernetes namespace on a shared, multi-tenant cluster, offering a streamlined approach to namespace-level isolation for development and data science workloads.
The template provisions a namespace with default resource quotas for CPU and memory to ensure efficient resource usage. It also creates a new RBAC group with Namespace Admin privileges and assigns the requesting user to this group, enabling secure and scoped access to the namespace.
As part of the output, users receive a kubeconfig
file with the necessary privileges, allowing secure access to the namespace for application deployment and resource management.
For detailed steps to get started, refer to the Namespace as a Service System Template Get Started Guide.
Initial Setup¶
The platform team is responsible for performing the initial configuration and setup of the Namespace as a Service template. The sequence diagram below outlines the high-level steps. In this process, the platform team selects the system template, configures it with predefined settings, and shares it with the appropriate project to make it available for end users.
sequenceDiagram
participant Admin as Platform Admin
participant Catalog as System Catalog
participant Project as End User Project
Admin->>Catalog: Selects Namespace Template from System Catalog
Admin->>Project: Shares Template with Predefined Controls
Project-->>Admin: Template Available in End User's Project
End User Flow¶
The end user launches a shared template, provides the required input values, and provisions a new Kubernetes namespace.
sequenceDiagram
participant User as End User
participant Project as Rafay Project
participant Cluster as Host Kubernetes Cluster
User->>Project: Launches Shared Template for Namespace
User->>Project: Provides Required Input Values (Environment Name, Resource Quotas)
User->>Project: Clicks "Deploy"
Project->>Cluster: Creates a Namespace in the Designated Cluster
Cluster-->>User: Namespace Created Successfully
Cluster-->>User: Provides Kubeconfig File as Output
The templates are designed to support both:
- Day 1 operations: Initial provisioning of the namespace
- Day 2 operations: Ongoing access and management of resources within the namespace
Resources¶
A dedicated Kubernetes namespace created within the designated cluster, configured with default resource quotas and RBAC policies to ensure secure and scoped access for application development and management.
Pre-Requisites¶
- Host Cluster: Ensure that a Kubernetes cluster is available and configured within the Rafay project for namespace provisioning.
- Rafay Configuration: At template launch, supply the following configuration values:
- Environment Name (used to name the namespace)
- Resource Quota overrides (optional)
- Agent Configuration: A configured and healthy agent must be available in the project where the template will be used. Follow these instructions to deploy a new agent. Existing agents within the project can be reused if available.
Configuration¶
At template launch, provide the required configuration values as exposed by the Platform Admin. This may include:
- Namespace Configuration:
- Environment Name: Specify a name for the namespace
- Host Cluster Name: Select the Kubernetes cluster where the namespace will be created
- Resource Quotas: Optionally override the default CPU and memory quotas
After entering the required information, click Deploy to initiate the namespace provisioning.
Input Variables for Namespace as a Service System Template¶
Cluster and Namespace Configuration¶
Name | Default Value | Value Type | Description |
---|---|---|---|
cluster_name |
resource.res-gen-kubeconfig-user.cluster_name , resource.res-gen-naas.cluster_name |
string | Name of the target cluster |
Project |
resource.res-gen-naas.project |
string | Associated project name |
Namespace |
resource.res-gen-naas.namespace |
string | Kubernetes namespace to be created or used |
Namespace Labels |
resource.res-gen-naas.namespace_labels |
map | Labels to assign to the namespace |
Namespace Annotations |
resource.res-gen-naas.namespace_annotations |
map | Annotations to assign to the namespace |
Allowed Namespaces for Network Policy |
resource.res-gen-naas.allowed_namespaces_for_network_policy |
list | List of namespaces allowed in network policies |
Enable Network Policy |
resource.res-gen-naas.network_policy |
bool | Whether to enable network policy |
Namespace Quota Size |
resource.res-gen-naas.namespace_quota_size |
string | Preset size of namespace resource quota |
Namespace Quotas |
resource.res-gen-naas.namespace_quotas |
map | Custom resource quotas for the namespace |
Authentication and Access¶
Name | Default Value | Value Type | Description |
---|---|---|---|
Host server |
resource.res-gen-naas.hserver |
string | Host server endpoint |
Client Certificate Data |
resource.res-gen-naas.clientcertificatedata |
string | Base64-encoded client certificate data |
Client Key Data |
resource.res-gen-naas.clientkeydata |
string | Base64-encoded client private key data |
Certificate Authority Data |
resource.res-gen-naas.certificateauthoritydata |
string | Base64-encoded CA certificate data |
Kubeconfig |
resource.res-gen-naas.kubeconfig |
string | Full kubeconfig content |
Launch Time¶
The estimated time to launch a namespace as a service using this template is approximately 3 minutes.