Namespace ownership

To ensure APPUiO Cloud users can create namespaces for their organizations, a Kyverno policy which validates namespace creation requests is deployed in each APPUiO Cloud zone. With this policy in place, an APPUiO Cloud user who is part of organization purple-fox can create namespaces in organization purple-fox by simply executing

kubectl create namespace -f- <<EOF
apiVersion: v1
kind: Namespace
  name: tall-grass
  labels: purple-fox

Labels and Annotations

Kubernetes, various controllers, and OpenShift use labels and annotations, such as, on namespaces to manage internal state and some advanced config. Such logic can have undesired effect over namespaces on a APPUiO Zone, thus they have to be managed using allowlists and denylists. Denylists are hard to implement since the full set of undesired labels is not known in advance and they can change as OpenShift and Kubernetes evolve.

Allowed labels are thus explicitly tracked in an allowlist. In order to enable users to add labels to namespaces, the prefix* was chosen for user defined labels.