{"id":44646837,"url":"https://github.com/observatorium/namespace-provisioner","last_synced_at":"2026-02-14T20:09:08.666Z","repository":{"id":100186239,"uuid":"271571563","full_name":"observatorium/namespace-provisioner","owner":"observatorium","description":"Self-service management of short-lived Namespaces in Kubernetes clusters","archived":false,"fork":false,"pushed_at":"2025-03-25T19:45:54.000Z","size":174,"stargazers_count":5,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-09T01:36:45.216Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/observatorium.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-11T14:44:13.000Z","updated_at":"2025-01-15T19:22:47.000Z","dependencies_parsed_at":"2024-06-21T07:32:29.133Z","dependency_job_id":"9d1cd134-dc80-463d-a7da-654c8480e6d0","html_url":"https://github.com/observatorium/namespace-provisioner","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/observatorium/namespace-provisioner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/observatorium%2Fnamespace-provisioner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/observatorium%2Fnamespace-provisioner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/observatorium%2Fnamespace-provisioner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/observatorium%2Fnamespace-provisioner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/observatorium","download_url":"https://codeload.github.com/observatorium/namespace-provisioner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/observatorium%2Fnamespace-provisioner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29454908,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-14T15:52:44.973Z","status":"ssl_error","status_checked_at":"2026-02-14T15:52:11.208Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-14T20:09:08.105Z","updated_at":"2026-02-14T20:09:08.661Z","avatar_url":"https://github.com/observatorium.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Namespace Provisioner\n\nNamespace Provisioner is a tool for self-servicing the creation of short-lived namespaces in a Kubernetes cluster.\n\n## Design\n\nThere are two main threads in the Namespace Provisioner:\n1. An API server fulfilling requests to create and delete namespaces; and\n1. A Kubernetes controller watching namespaces for deletion.\n\n### Authentication\n\nThe Namespace Provisioner requires all requests to the API to be authenticated.\nCurrently, the API only allows clients to authenticate via a bearer token, which must be specified at run-time with the `--token=\u003ctoken\u003e` flag.\n\n### Privileges\n\nThe Namespace Provisioner provides the client with a Kubeconfig to operate the Namespaces it creates and binds a ClusterRole it to give it privileges.\nThe ClusterRole is bound to the Kubeconfig using a RoleBinding, scoping the permissions down to only the newly created Namespace.\nBy default, the Namespace Provisioner uses a ClusterRole named `namespace-provisioner-grant`, which grants no permissions to the subject.\nTo control the permissions granted to the returned Kubeconfig, administrators can edit the `namespace-provisioner-grant` ClusterRole or change the target ClusterRole by specifying a different `--cluster-role=\u003cname\u003e` flag passed to the Namespace Provisioner.\n\n### API Server\n\nThe Namespace Provisioner runs an API server over HTTP that exposes two API endpoints:\n1. Namespace creation; and\n1. Namespace deletion.\n\n#### Namespace Creation - POST /api/v1/namespace\n\nThe Namespace creation endpoint accepts the following optional query parameters:\n1. `ttl`: the duration, e.g. `30s`, `5m`, `1h`, that the Namespace should exist in the Kubernetes cluster; if 0 is given, then the Namespace Provisioner’s default lifetime is applied.\nAll provisioned Namespaces will be labeled with a Unix timestamp equal to the current time plus this duration; and\n1. `server`; the URL of the Kubernetes API that the generated Kubeconfig should use.\n\nThe Namespace creation endpoint responds with the following data:\n1. A Kubeconfig with scoped privileges for the provisioned Namespace using the provided RBAC Role and the Kubernetes API URL provided in the creation request.\n\nIn order to generate the Kubeconfig to fulfill the request, the Namespace provisioner first generates a ServiceAccount for the new Namespace, binds the specified RBAC role to it, and finally uses the certificate and token for the ServiceAccount to produce a Kubeconfig.\n\n#### Namespace Deletion - DELETE /api/v1/namespace/\u003cname\u003e\n\nThe Namespace deletion endpoint determines what namespace to delete from the parameter in the URL path.\n\n### Kubernetes Controller\nThe Namespace provisioner runs a Kubernetes controller to manage all of the resources it creates. Chiefly, it maintains a control loop to watch four resources:\n1. Namepaces;\n1. ServiceAccounts;\n1. Roles; and\n1. RoleBindings\n\nThe controller runs filtered indexers for each of these resources that limit the watched resources to only those that are labelled with `controller.observatorium.io=namespace-provisioner`.\nAny time that a resource with this label is modified, the controller ensures that all of the resources for the corresponding Namespace are correct.\n\nEach resource provisioned for a Namespace creation request is also labelled with a Unix timestamp for the expiration time of the Namespace.\nWhenever the controller re-syncs, it checks the expiration timestamp of the resource and deletes it if it has expired.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fobservatorium%2Fnamespace-provisioner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fobservatorium%2Fnamespace-provisioner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fobservatorium%2Fnamespace-provisioner/lists"}