Skip to main content

Configuration Reference

Complete reference for all values.yaml parameters.

Global

ParameterTypeDefaultDescription
global.labelsmap{}Labels added to every managed resource
global.annotationsmap{}Annotations added to every managed resource

Tools namespace

A shared namespace for cluster-wide tooling (operators, controllers, etc.).

ParameterTypeDefaultDescription
tools.createbooltrueCreate the tools namespace
tools.namespacestring"k8s-tools"Name of the tools namespace
tools.labelsmap{}Extra labels
tools.annotationsmap{}Extra annotations

Tenants

Each entry in tenants[] provisions a full set of resources for one team.

ParameterTypeRequiredDescription
tenants[].namestringyesTenant name — becomes the namespace name
tenants[].labelsmapnoExtra labels on the namespace
tenants[].annotationsmapnoExtra annotations on the namespace
tenants[].resourceQuotaobjectnoPer-tenant quota (overrides resourceQuota.default)
tenants[].limitRangeobjectnoPer-tenant LimitRange (overrides limitRange.default)
tenants[].rbac.subjectslistnoAdditional RBAC subjects (users, groups, service accounts)
tenants[].networkPolicy.enabledboolnoPer-tenant override for networkPolicy.enabled

Per-tenant RBAC subjects

tenants:
  - name: team-alpha
    rbac:
      subjects:
        - kind: Group
          name: team-alpha-admins
          apiGroup: rbac.authorization.k8s.io
        - kind: User
          name: [email protected]
          apiGroup: rbac.authorization.k8s.io

kind must be one of User, Group, or ServiceAccount. These are appended to the default ServiceAccount binding.

Per-tenant resource quota override

tenants:
  - name: data-platform
    resourceQuota:
      requests.cpu: "8"
      limits.cpu: "16"
      requests.memory: 16Gi
      limits.memory: 32Gi
      pods: "50"

Per-tenant NetworkPolicy toggle

tenants:
  - name: internal-tools
    networkPolicy:
      enabled: false   # disable isolation for this tenant only

RBAC

ParameterTypeDefaultDescription
rbac.createbooltrueCreate a Role + RoleBinding in each tenant namespace
rbac.serviceAccountNamestring"default"ServiceAccount bound in every tenant namespace
rbac.defaultRuleslistsee values.yamlRBAC rules granted in each tenant namespace

ResourceQuota

ParameterTypeDefaultDescription
resourceQuota.enabledbooltrueCreate a ResourceQuota in each tenant namespace
resourceQuota.defaultobjectsee belowHard quota applied to all tenants unless overridden

Default quota:

resourceQuota:
  default:
    requests.cpu: "2"
    requests.memory: 4Gi
    limits.cpu: "4"
    limits.memory: 8Gi
    persistentvolumeclaims: "5"
    pods: "20"
    services: "5"
    secrets: "20"
    configmaps: "20"

LimitRange

ParameterTypeDefaultDescription
limitRange.enabledbooltrueCreate a LimitRange in each tenant namespace
limitRange.defaultobjectsee belowDefault container limits applied to all tenants unless overridden

Default LimitRange:

limitRange:
  default:
    type: Container
    default:
      cpu: 300m
      memory: 256Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi
    max:
      cpu: "1"
      memory: 2Gi
    min:
      cpu: 50m
      memory: 64Mi

NetworkPolicy

ParameterTypeDefaultDescription
networkPolicy.enabledbooltrueCreate an isolation policy in each tenant namespace
networkPolicy.vpcCidrstring"10.0.0.0/8"VPC/VNet CIDR for ALB/load-balancer ingress and internal service egress
networkPolicy.allowInternetEgressboolfalseAllow pods to make outbound HTTPS/HTTP calls to the public internet
vpcCidr per cloud
CloudHow to find your CIDR
EKSaws ec2 describe-vpcs --query 'Vpcs[*].CidrBlock'
AKSaz network vnet list --query '[*].addressSpace.addressPrefixes'
GKEgcloud compute networks subnets list

What the NetworkPolicy allows

By default each tenant gets:

  • Ingress: same-namespace pods, kube-system (DNS/CNI), VPC CIDR (load balancer health checks)
  • Egress: DNS on port 53, VPC CIDR on ports 5432 (PostgreSQL), 3306 (MySQL), 6379 (Redis), 9092 (Kafka)
  • Blocked: all other cross-namespace and internet traffic

Set allowInternetEgress: true to additionally allow outbound port 443/80 to 0.0.0.0/0.