Skip to content

Overview

This system template enables the provisioning of a Kubernetes namespace on a shared, multi-tenant cluster, offering a streamlined approach to namespace-level isolation for development and data science workloads.

The template provisions a namespace with default resource quotas for CPU and memory to ensure efficient resource usage. It also creates a new RBAC group with Namespace Admin privileges and assigns the requesting user to this group, enabling secure and scoped access to the namespace.

As part of the output, users receive a kubeconfig file with the necessary privileges, allowing secure access to the namespace for application deployment and resource management.

For detailed steps to get started, refer to the Namespace as a Service System Template Get Started Guide.


Initial Setup

The platform team is responsible for performing the initial configuration and setup of the Namespace as a Service template. The sequence diagram below outlines the high-level steps. In this process, the platform team selects the system template, configures it with predefined settings, and shares it with the appropriate project to make it available for end users.

sequenceDiagram
    participant Admin as Platform Admin
    participant Catalog as System Catalog
    participant Project as End User Project

    Admin->>Catalog: Selects Namespace Template from System Catalog
    Admin->>Project: Shares Template with Predefined Controls
    Project-->>Admin: Template Available in End User's Project

End User Flow

The end user launches a shared template, provides the required input values, and provisions a new Kubernetes namespace.

sequenceDiagram
    participant User as End User
    participant Project as Rafay Project
    participant Cluster as Host Kubernetes Cluster

    User->>Project: Launches Shared Template for Namespace
    User->>Project: Provides Required Input Values (Environment Name, Resource Quotas)
    User->>Project: Clicks "Deploy"
    Project->>Cluster: Creates a Namespace in the Designated Cluster
    Cluster-->>User: Namespace Created Successfully
    Cluster-->>User: Provides Kubeconfig File as Output

The templates are designed to support both:

  • Day 1 operations: Initial provisioning of the namespace
  • Day 2 operations: Ongoing access and management of resources within the namespace

Resources

A dedicated Kubernetes namespace created within the designated cluster, configured with default resource quotas and RBAC policies to ensure secure and scoped access for application development and management.

Pre-Requisites

  • Host Cluster: Ensure that a Kubernetes cluster is available and configured within the Rafay project for namespace provisioning.
  • Rafay Configuration: At template launch, supply the following configuration values:
  • Environment Name (used to name the namespace)
  • Resource Quota overrides (optional)
  • Agent Configuration: A configured and healthy agent must be available in the project where the template will be used. Follow these instructions to deploy a new agent. Existing agents within the project can be reused if available.

Configuration

At template launch, provide the required configuration values as exposed by the Platform Admin. This may include:

  • Namespace Configuration:
    • Environment Name: Specify a name for the namespace
    • Host Cluster Name: Select the Kubernetes cluster where the namespace will be created
    • Resource Quotas: Optionally override the default CPU and memory quotas

After entering the required information, click Deploy to initiate the namespace provisioning.


Input Variables for Namespace as a Service System Template

Cluster and Namespace Configuration

Name Default Value Value Type Description
cluster_name resource.res-gen-kubeconfig-user.cluster_name, resource.res-gen-naas.cluster_name string Name of the target cluster
Project resource.res-gen-naas.project string Associated project name
Namespace resource.res-gen-naas.namespace string Kubernetes namespace to be created or used
Namespace Labels resource.res-gen-naas.namespace_labels map Labels to assign to the namespace
Namespace Annotations resource.res-gen-naas.namespace_annotations map Annotations to assign to the namespace
Allowed Namespaces for Network Policy resource.res-gen-naas.allowed_namespaces_for_network_policy list List of namespaces allowed in network policies
Enable Network Policy resource.res-gen-naas.network_policy bool Whether to enable network policy
Namespace Quota Size resource.res-gen-naas.namespace_quota_size string Preset size of namespace resource quota
Namespace Quotas resource.res-gen-naas.namespace_quotas map Custom resource quotas for the namespace

Authentication and Access

Name Default Value Value Type Description
Host server resource.res-gen-naas.hserver string Host server endpoint
Client Certificate Data resource.res-gen-naas.clientcertificatedata string Base64-encoded client certificate data
Client Key Data resource.res-gen-naas.clientkeydata string Base64-encoded client private key data
Certificate Authority Data resource.res-gen-naas.certificateauthoritydata string Base64-encoded CA certificate data
Kubeconfig resource.res-gen-naas.kubeconfig string Full kubeconfig content

Launch Time

The estimated time to launch a namespace as a service using this template is approximately 3 minutes.