Self-Service Team Onboarding
In Development
This feature is currently in development. Onboarding workflows described here are subject to change.
Purpose: For platform engineers and app team leads, describes how teams self-enroll through the portal, receiving namespaces, quotas, Git repos, and RBAC bindings automatically.
Onboarding Flow
- Team lead authenticates via Keycloak SSO
- Requests team workspace — provides team name, cost center, environment tier
- Portal provisions:
- Kubernetes namespace(s) with resource quotas
- RBAC bindings mapped to Keycloak group
- Git repository (or directory in mono-repo) with FluxCD bootstrap
- NetworkPolicy defaults for namespace isolation
- Default LimitRange for pod resource boundaries
- Team members gain access via Keycloak group membership
What Gets Created
| Resource | Purpose |
|---|---|
Namespace | Isolated workspace for team workloads |
ResourceQuota | CPU, memory, storage, and object count limits |
RBACDefinition | Maps Keycloak group → Kubernetes RBAC roles |
NetworkPolicy | Default deny-ingress with team-internal allow |
LimitRange | Default container resource requests/limits |
GitRepository (FluxCD) | Points FluxCD at the team's app manifests |
Kustomization (FluxCD) | Reconciles team directory into namespace |
Customization
Platform teams configure onboarding templates in openCenter-gitops-base to define:
- Default quota sizes per environment tier (dev, staging, prod)
- Mandatory labels and annotations
- Required NetworkPolicy templates
- Allowed service tiers from marketplace