Until this point, the homepage about the multi-tenant cluster was running in the multi-tenant cluster without using the multi-tenant functionality :-P.

Now, I have created a “homepage” tenant, with a non-cluster-admin user (myself) as the owner. As this user I have created a homepage namespace and a “deployer” service account, that only has access to the homepage namespace. The kubeconfig of this deployer serviceaccount is used in the Gitlab pipeline.

Advantages:

  • the usual multi-tenancy ones
  • no longer using cluster-admin credentials in the CI/CD pipeline

Required steps:

  • create a non-cluster-admin user and output its kubeconfig file
  • create a Capsule Tenant (with a user as the owner)
  • as a Tenant admin: create a “deployer” service account (with access limited to a single namespace) and output its kubeconfig file

Scripts to do these steps have been committed to the main Qluster project.