Provision namespace resources

This topic tells you how to use Namespace Provisioner to provision namespace-scoped resources in Tanzu Application Platform (commonly known as TAP).

There are two approaches to provisioning namespace-scoped resources supported:

Using Namespace Provisioner Controller is recommended for Tanzu Application Platform clusters that:

Using GitOps is required for Tanzu Application Platform clusters that meet any of the following:

Using Namespace Provisioner Controller

Ensure that the following prerequisites are met before provisioning namespace-scoped resources using Namespace Provisioner Controller.


  • The Namespace Provisioner package is installed and reconciled.
  • The controller tap value key is set to true (Default is true).
  • The registry-credentials secret referenced by the Tanzu Build Service is added to tap-install and exported to all namespaces. If you don’t want to export this secret to all namespaces for any reason, you must complete an additional step to create this secret in each namespace you want to provision.

    • Example secret creation, exported to all namespaces
    tanzu secret registry add tbs-registry-credentials --server REGISTRY-SERVER --username REGISTRY-USERNAME --password REGISTRY-PASSWORD --export-to-all-namespaces --yes --namespace tap-install
    • Example secret creation for a specific namespace
    tanzu secret registry add tbs-registry-credentials --server REGISTRY-SERVER --username REGISTRY-USERNAME --password REGISTRY-PASSWORD --yes --namespace YOUR-NEW-DEVELOPER-NAMESPACE

Provision a new developer namespace

Complete the following steps to provision a new developer namespace:

  1. Create a namespace using kubectl or any other means

    kubectl create namespace YOUR-NEW-DEVELOPER-NAMESPACE
  2. Label your new developer namespace with the label selector""

    kubectl label namespaces YOUR-NEW-DEVELOPER-NAMESPACE""
    • This label tells the controller to add this namespace to the desired-namespaces ConfigMap.
    • The label’s value can be anything, including "".
    • If required, you can change the default label selector by configuring the namespace_selector property/value in tap-values for namespace provisioner.
  3. (Optional) This step is only required if the registry-credentials secret that was created during Tanzu Application Platform Installation was not exported to all namespaces (see the Prerequisites section above for details).

    • Add the registry-credentials secret referenced by the Tanzu Build Service to the new namespace and patch the service account that will be used by the workload to refer to this new secret.

      tanzu secret registry add registry-credentials --server REGISTRY-SERVER --username REGISTRY-USERNAME --password REGISTRY-PASSWORD --yes --namespace YOUR-NEW-DEVELOPER-NAMESPACE
  4. Run the following command to verify the correct resources were created in the namespace:

    kubectl get secrets,serviceaccount,rolebinding,pods,workload,configmap -n YOUR-NEW-DEVELOPER-NAMESPACE
    • To see the list of resources that are provisioned in your namespace based on the installation profile and supply chain values configured in your tap-values.yaml file, see Default resources mapping.

Using GitOps

This section describes how to use GitOps to manage the list of namespaces in the desired-namespaces ConfigMap instead of the built-in controller.

WARNING If there is a namespace in your GitOps repository desired-namespaces ConfigMap list that does not exist on the cluster, the provisioner application fails to reconcile and cannot create resources. Creation of the namespaces is out of the scope for the Namespace Provisioner package.


The prerequisites for using GitOps are the same as those specified in the controller prerequisites above except for the controller tap value key’s value as follows:

For more information about provisioning namespaces with GitOps, see Control the desired-namespaces ConfigMap with GitOps.

check-circle-line exclamation-circle-line close-line
Scroll to top icon