Namespaces are owned by organizations


Developer or CI/CD pipeline


Creates a new namespace or project


Any APPUiO Zone


kubectl, oc, or any other suitable Kubernetes client


Namespace created and belongs to one of the creator’s organizations

Response measure

The organization to which the namespace belongs is granted the admin Role in the new namespace


Namespace ownership must not be tied to individuals but to the organization. We consider giving all organization members admin permissions in new namespaces to be a safe default. In contrast to OpenShift’s default for projects of only granting the creator admin permissions, our default prevents that team members are left unable to access a namespace if the namespace creator forgets to adjust the permissions.