Skip to content

Latest commit

 

History

History

tenant-namespace

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 

tenant-namespace

A Helm Chart to bootstrap a Namespace in a Multi-Tenancy setup

TL;DR;

helm repo add christianhuth https://charts.christianhuth.de
helm repo update
helm install my-release christianhuth/tenant-namespace

Introduction

This chart bootstraps a Namespace in a Multi-Tenancy cluster with all the required resources on a Kubernetes cluster using the Helm package manager.

Prerequisites

  • Kubernetes 1.19+

Installing the Chart

To install the chart with the release name my-release:

helm repo add christianhuth https://charts.christianhuth.de
helm repo update
helm install my-release christianhuth/tenant-namespace

These commands deploy the Namespace for the Tenant on the Kubernetes cluster in the default configuration. The Values section lists the values that can be configured during installation.

Tip: List all releases using helm list

Uninstalling the Chart

To uninstall the my-release deployment:

helm uninstall my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.

Values

Key Type Default Description
fullnameOverride string "" String to fully override "tenant-namespace.fullname"
limitRange.additionalAnnotations object {} Annotations to be added to the LimitRange
limitRange.additionalLabels object {} Labels to be added to the LimitRange
limitRange.enabled bool false - create a LimitRange resource
limitRange.limits list [] define the list of limits
limitRange.name string "" The name of the LimitRange to be created. If left empty will simply use the Release name.
nameOverride string "" Provide a name in place of tenant-namespace
namespace.annotations.additionalAnnotations object {} Annotations to be added to the Namespace
namespace.annotations.openShift.description string "" The optional description can be a more detailed description of the project and is visible in the web console.
namespace.annotations.openShift.displayName string "" The optional displayName is how the project is displayed in the web console (defaults to name).
namespace.annotations.openShift.requester string "" The optional requesting user.
namespace.annotations.scheduler.defaultTolerations list [] This annotation requires the PodTolerationRestriction admission controller to be enabled. This annotation key allows assigning tolerations to a namespace and any new pods created in this namespace would get these tolerations added.
namespace.annotations.scheduler.nodeSelector string "" The PodNodeSelector uses this annotation key to assign node selectors to pods in namespaces.
namespace.annotations.scheduler.tolerationsWhitelist list [] This annotation requires the PodTolerationRestriction admission controller to be enabled. The annotation value is a JSON document that defines a list of allowed tolerations for the namespace it annotates. When you create a Pod or modify its tolerations, the API server checks the tolerations to see if they are mentioned in the allow list. The pod is admitted only if the check succeeds.
namespace.enabled bool false - create a Namespace resource
namespace.labels.additionalLabels object {} Labels to be added to the Namespace
namespace.labels.podSecurityAdmission.audit.standard string "" Value must be one of privileged, baseline, or restricted which correspond to Pod Security Standard levels.
namespace.labels.podSecurityAdmission.audit.version string "" Version label that can be used to pin the policy to the version that shipped with a given Kubernetes minor version (for example v1.27).
namespace.labels.podSecurityAdmission.enforce.standard string "" Value must be one of privileged, baseline, or restricted which correspond to Pod Security Standard levels.
namespace.labels.podSecurityAdmission.enforce.version string "" Version label that can be used to pin the policy to the version that shipped with a given Kubernetes minor version (for example v1.27).
namespace.labels.podSecurityAdmission.warning.standard string "" Value must be one of privileged, baseline, or restricted which correspond to Pod Security Standard levels.
namespace.labels.podSecurityAdmission.warning.version string "" Version label that can be used to pin the policy to the version that shipped with a given Kubernetes minor version (for example v1.27).
namespace.name string "" The Name of the newly created namespace. Uses the Release name be default.
networkPolicies.additionalAnnotations object {} Annotations to be added to the NetworkPolicies
networkPolicies.additionalLabels object {} Labels to be added to the NetworkPolicies
networkPolicies.egress.allow.dns.enabled bool true create a NetworkPolicy that allows outgoing traffic to the Kubernetes DNS
networkPolicies.egress.allow.dns.namespace string "kube-system" The namespace where the Kubneretes DNS is running
networkPolicies.egress.allow.dns.podLabels object {"k8s-app":"kube-dns"} The labels of the Kubernetes DNS
networkPolicies.egress.allow.dns.podSelector object {} define a PodSelector that should be used. Uses all Pods by default
networkPolicies.egress.deny.all.enabled bool true create a NetworkPolicy that denies all outgoing traffic
networkPolicies.egress.deny.all.podSelector object {} define a PodSelector that should be used. Uses all Pods by default
networkPolicies.enabled bool false - create NetworkPolicy resources to limit the allowed traffic
networkPolicies.ingress.allow.openShift.ingressController.enabled bool true create a NetworkPolicy that allows incoming traffic from the OpenShift Ingress Controller
networkPolicies.ingress.allow.openShift.ingressController.podSelector object {} define a PodSelector that should be used. Uses all Pods by default
networkPolicies.ingress.allow.openShift.monitoring.enabled bool true create a NetworkPolicy that allows incoming traffic from the OpenShift Monitoring
networkPolicies.ingress.allow.openShift.monitoring.podSelector object {} define a PodSelector that should be used. Uses all Pods by default
networkPolicies.ingress.deny.all.enabled bool true create a NetworkPolicy that denies all incoming traffic
networkPolicies.ingress.deny.all.podSelector object {} define a PodSelector that should be used. Uses all Pods by default
networkPolicies.openShift.enabled bool false enabled the creation of NetworkPolicies for OpenShift like Ingress and Monitoring
resourceQuotas object {"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"quotas":[]} define a list of ResourceQuotas that should be created
resourceQuotas.additionalAnnotations object {} Annotations to be added to the LimitRange
resourceQuotas.additionalLabels object {} Labels to be added to the LimitRange

Specify each parameter using the --set key=value[,key=value] argument to helm install.

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

helm install my-release -f values.yaml christianhuth/tenant-namespace