To ensure APPUiO Cloud users can create namespaces for their organizations, a Kyverno policy which validates namespace creation requests is deployed in each APPUiO Cloud zone.
With this policy in place, an APPUiO Cloud user who is part of organization
purple-fox can create namespaces in organization
purple-fox by simply executing
kubectl create namespace -f- <<EOF apiVersion: v1 kind: Namespace metadata: name: tall-grass labels: appuio.io/organization: purple-fox EOF
Kubernetes, various controllers, and OpenShift use labels and annotations, such as
scheduler.alpha.kubernetes.io/node-selector, on namespaces to manage internal state and some advanced config.
Such logic can have undesired effect over namespaces on a APPUiO Zone, thus they have to be managed using allowlists and denylists.
Denylists are hard to implement since the full set of undesired labels is not known in advance and they can change as OpenShift and Kubernetes evolve.
Allowed labels are thus explicitly tracked in an allowlist.
In order to enable users to add labels to namespaces, the prefix
custom.appuio.io/* was chosen for user defined labels.