Namespace Creation

Phase 2 of the provisioning pipeline creates the Kubernetes namespace and configures isolation boundaries for the tenant. This phase consists of 7 steps that establish the tenant's compute environment.

Steps in Phase 2

Namespace Naming

For shared clusters (FREE/STARTER tier), namespaces follow the pattern tenant-{slug}:

String namespace = "tenant-" + tenant.getSlug();
tenant.setKubernetesNamespace(namespace);

For dedicated clusters (PROFESSIONAL/ENTERPRISE), the namespace is typically matih since the entire cluster is dedicated to one tenant.

Resource Quota Configuration

Resource quotas are applied per tier to prevent any single tenant from consuming excessive cluster resources:

Network Policy

Network policies enforce tenant isolation at the pod level:

• Default deny: All ingress traffic is denied by default
• Allow within namespace: Pods within the same tenant namespace can communicate
• Allow from ingress: Traffic from the tenant's ingress controller is permitted
• Allow to shared services: DNS, monitoring, and platform services are accessible
• Deny cross-tenant: Traffic between tenant namespaces is blocked

Rollback

All Phase 2 steps support rollback. When rolled back:

• RBAC bindings are removed
• Pod security policies are deleted
• Service accounts are deleted
• Network policies are removed
• Limit ranges and resource quotas are deleted
• The namespace is deleted (which cascades deletion of all contained resources)

Source Files