Skip to content

Introduction to Namespace Provisioning

The Namespace Provisioning service automates the creation and management of Kubernetes namespaces, ensuring that every new environment is secure, compliant, and ready for your applications from the moment it is created. This eliminates manual setup, reduces configuration errors, and accelerates the on-boarding of new projects.

Manually configuring a new Kubernetes namespace requires repeating a complex set of tasks, from setting up security policies to configuring CI/CD integrations. This process is not only time-consuming but also prone to human error, which can lead to inconsistent environments and security vulnerabilities.

The Namespace Provisioning service solves this by providing a fully automated, template-driven workflow powered by a dedicated Kubernetes operator.

How It Works

The service is built around a custom Kubernetes operator that manages the entire lifecycle of a namespace based on a set of predefined templates. You interact with the service by creating a ProjectBootstrap custom resource in your Git repository.

This ProjectBootstrap resource references a BootstrapConfig resource, which acts as a template for the new namespace. When the operator detects a new ProjectBootstrap resource, it automatically carries out all the necessary steps to create and configure a fully functional and secure namespace according to the template.

Key Responsibilities

When you provision a new namespace using this service, the operator can automatically perform the following tasks:

  • GitOps Integration: Sets up the required Flux resources (GitRepository and Kustomization) to enable continuous delivery for the new namespace. Manages credentials for the git server of choice.
  • Resource Quotas: Applies default resource quotas (ResourceQuota) to ensure fair resource allocation and prevent any single project from impacting the entire cluster.
  • Secure Networking: Enforces baseline network policies (NetworkPolicy) to implement a secure default-deny network model for the new namespace.
  • Access Control: Configures standard roles and role-bindings (Role, RoleBinding) to define default access permissions for teams and service accounts. Also provisions roles and bindings in the IDP if running Keycloak.
  • Secrets Management: Sets up the necessary configuration for External Secrets, allowing applications to securely consume credentials from your secrets provider.
  • Database Provisioning: Can automate the creation and configuration of required databases for applications within the namespace.
  • Observability & Telemetry: Configures default settings for OpenTelemetry and Istio to ensure that applications are automatically integrated with the platform's observability and service mesh capabilities.

Tip

For general information about pricing, legal or support concerning the platform, services or components, consult your contract or see the contact page.