Namespace Provisioner provides a secure, automated way for you to provision namespaces with the resources and namespace-level privileges required for your workloads to function as intended in Tanzu Application Platform (commonly known as TAP).
Namespace Provisioner enables platform operators to add additional customized namespace-scoped resources using GitOps to meet their organization’s requirements and provides continuous reconciliation using the kapp-controller to maintain the desired state of the namespace-scoped resources.
Namespace Provisioner enables operators that are new to Kubernetes to automate the provisioning of multiple developer namespaces in a shared cluster. For organizations that have already adopted Kubernetes, Namespace Provisioner is also compatible with existing Kubernetes tooling.
Use Namespace Provisioner with one of the following modes:
apps.tanzu.vmware.com/tap-ns=""
additional_sources
section in Namespace Provisioner configuration. For more information, see Customize Installation of Namespace Provisioner.gitops_install
section of the Namespace Provisioner configuration.additional_sources
in Namespace Provisioner configuration. For more information, see Customize Installation of Namespace Provisioner.Namespace Provisioner consists of a Carvel application called provisioner
that facilitates the creation of resources in the managed developer namespaces. The provisioner
application uses ytt to templatize a set of resources into installations in multiple namespaces.
The following section describes how the list of desired developer namespaces is managed in controller and GitOps modes.
provisioner
application to create resources in, is maintained in the
desired-namespaces
ConfigMap. This ConfigMap is managed by the
Namespace Provisioner controller and it provides a declarative way to indicate which namespaces should be populated with resources. The ConfigMap consists of a list of namespace objects, with a required
name
parameter, and optional additional parameters which are used as
data.values
for customizing defined resources.
For example,
---
apiVersion: v1
kind: ConfigMap
metadata:
name: desired-namespaces
namespace: tap-namespace-provisioning
annotations:
kapp.k14s.io/create-strategy: fallback-on-update
namespace-provisioner.apps.tanzu.vmware.com/no-overwrite: "" #! This annotation tells the provisioner app to not override this configMap as this is your desired state.
data:
namespaces.yaml: |
#@data/values
---
namespaces:
- name: dev-ns1
# additional parameters about dev-ns1 added via label/annotations or GitOps
- name: dev-ns2
# additional parameters about dev-ns1 added via label/annotations or GitOps
provisioner
application to create resources in, is maintained in a Git repository as a ytt data values file as shown
in this sample file. This file provides a declarative way to indicate which namespaces should be populated with resources. For more information, see the
Options if using GitOps
section in
Customize Install.
The Namespace Provisioner controller (controller) is installed by default and manages the content contained in the desired-namespaces
ConfigMap. The controller watches namespaces in the cluster and updates the desired-namespaces
ConfigMap with a list of all namespaces that match the namespace label selector.The defalut namespace label selector is apps.tanzu.vmware.com/tap-ns
. For more information, see Use a different label selector than default.