Skip to main content

Platform - Teams

  • Teams are tenants on the platform to support Development/DevOps teams, projects or even DTAP
  • A team will get access to Otomi Console, providing access to all the shared apps available on the platform
  • Teams can choose to receive alerts in Microsoft Teams, Slack or email and each team will get access to a project in Harbor and a space in Vault to manage secrets
  • Teams can be allowed self-service features like configure ingress, configure a notification receiver for alerts, change the OIDC group mappings and download the KubeConfig.

Team Admin

By default, Otomi creates a team called Team Admin. Admins can use this team to expose any service in the team-admin namespace, but also in other namespaces.

see Team Services for more info about how to create Services in Otomi and how to configure ingress. The only difference here is that when creating Services in Team Admin, the admin can also select the namespace of the service.

Another difference between the Team Admin and user created Teams is that Team Admin does not have apps and it is not possible to configure any settings for the team-admin namespace.

Creating new Teams

  1. Login with a user who is a member of the otomi-admin or team-admin role

  2. Provide a name for the team (lowercase). The teamname can not be changed afterwards! Creating a team will result in the creation of namespace team-$NAME

  3. Optional: Provide a OIDC group name/id granting for granting access to team. Only members of the group will get access to the team

  4. Optional (only when multi-tenancy is enabled): In order to receive alerts, please choose an alerting endpoint:

OptionDescription
SlackNeeds a slack webhook url that will give alerts for warnings and criticals
Microsoft TeamsNeeds two alerting endpoints, for both warnings as well as criticals
EmailYou may provide a list of email addresses for both 'Non Critical' and 'Critical'
If none selectedGlobal (admin) alerting endpoint configuration will be used
  1. Add Resource Quotas

When required, add resource quota for the team. The resource quota should adhere to the "spec.hard" format as described here.

Note

There is no validation as there is no schema published. Add/change resource quota at your own risk.

  1. Configure Azure Monitor
note

Configuring Azure Monitor settings will only be active when cluster.provider=azure).

Azure Monitor is the platform service that provides a single source for monitoring Azure resources.

OptionDescription
No Azure monitoring-
Azure monitoring with global settingsTakes on the global settings
Azure monitoring with custom settingsOverrides any global settings
  1. Turn Network Policy On/Off for the team
OptionDescription
Network policiesWhen enabled team services will be bound by (ingress) network policies
Egress controlWhen enabled team service egress traffic will be limited to pre-defined endpoints only
  1. Add Team self service flags

A user with the otomi-admin and team-admin role can delegate permissions to modify certain configuration parameters to the team.

SectionOptionDescription
ServiceIngressSelect to grant the team the permission to configure exposure for Services
ServiceNetwork policySelect to grant the team the permission to configure network polices
TeamAlertsSelect to grant the team the permission to configure Alerts for the team
TeamOidcSelect to grant the team the permission to configure OIDC for the team
TeamResource quotaSelect to grant the team the permission to configure Resource Quota for the team
TeamDownload kube configSelect to grant the team the permission to download the KubeConfig file
TeamNetwork PolicySelect to grant the team the permission to turn on/off network policies
AppsArgoCDSelect to provide team members access to the teams' Gitops repository in Gitea
AppsGiteaSelect to provide team members access to Gitea