Namespace ownership

To ensure APPUiO Cloud users can create namespaces for their organizations, a Kyverno policy which validates namespace creation requests is deployed in each APPUiO Cloud zone. With this policy in place, an APPUiO Cloud user who is part of organization purple-fox can create namespaces in organization purple-fox by simply executing

kubectl create namespace -f- <<EOF
apiVersion: v1
kind: Namespace
metadata:
  name: tall-grass
  labels:
    appuio.io/organization: purple-fox
EOF

Labels and Annotations

Kubernetes, various controllers, and OpenShift use labels and annotations, such as scheduler.alpha.kubernetes.io/node-selector, on namespaces to manage internal state and some advanced config. Such logic can have undesired effect over namespaces on a APPUiO Zone, thus they have to be managed using allowlists and denylists. Denylists are hard to implement since the full set of undesired labels is not known in advance and they can change as OpenShift and Kubernetes evolve.

Allowed labels are thus explicitly tracked in an allowlist. In order to enable users to add labels to namespaces, the prefix custom.appuio.io/* was chosen for user defined labels.

Related decisions

Kyverno as policy engine

Related requirements

Arbitrary Namespace name