Skip to main content

Platform - Teams

About Teams in APL

  • Teams are isolated tenants on the platform to support Development/DevOps teams, projects or even DTAP.

  • A team will get access to APL Console, providing access to self-service features and all the shared apps available on the platform.

  • Teams can choose to receive alerts in Microsoft Teams, Slack or email and each team will get access to a project in Harbor.

  • Teams can be allowed self-service features like configure ingress, configure a notification receiver for alerts, change the OIDC group mappings and download the KubeConfig.

Team Admin

By default, APL creates a team called Team Admin. Admins can use this team to expose any service in the team-admin namespace, but also in custom (created by the admin) namespaces.

See Team Services for more info about how to create Services in APL and how to configure ingress. The only difference here is that when creating Services in Team Admin, the admin can also select the namespace of the service.

Another difference between the Team Admin and regular Teams is that Team Admin does not have apps and it is not possible to configure any settings for the team-admin namespace.

Creating a Team

  1. Login with a user who is a member of the otomi-admin or team-admin role.

  2. Provide a name for the team (lowercase). The teamname can not be changed afterwards! Creating a team will result in the creation of namespace team-$NAME. The name of a team can be max 12 characters.

  3. Optional: Provide a OIDC group name/id granting for granting access to team. Only members of the group will get access to the team.

  4. Optional: Configure Managed Monitoring. This allows Teams to get a dedicated Grafana, Prometheus and Alert Manager instance. Select Private to disable cross-team access and isolate access to Team monitoring resources.

  5. Optional (only when Alert Manager is enabled for the team): In order to receive alerts, please choose an alerting endpoint:

OptionDescription
SlackNeeds a slack webhook url that will give alerts for warnings and criticals
Microsoft TeamsNeeds two alerting endpoints, for both warnings as well as criticals
EmailYou may provide a list of email addresses for both 'Non Critical' and 'Critical'
If none selectedGlobal (admin) alerting endpoint configuration will be used
  1. Optional: Add Resource Quotas.

When required, add resource quota for the team. The resource quota should adhere to the "spec.hard" format as described here.

Note

There is no validation as there is no schema published. Add/change resource quota at your own risk.

  1. Turn Network Policy On/Off for the team:
OptionDescription
Network policiesWhen enabled team services will be bound by (ingress) network policies
Egress controlWhen enabled team service egress traffic will be limited to pre-defined external endpoints only
  1. Add Team self service flags:

A user with the otomi-admin and team-admin role can delegate permissions to modify certain configuration parameters to the team.

SectionOptionDescription
ServiceIngressSelect to grant the team the permission to configure exposure for Services
PoliciesEdit PoliciesSelect to grant the team to edit security policies
Team SettingsManaged MonitoringSelect to grant the team the permission to change the managed monitoring configuration
Team SettingsOidcSelect to grant the team the permission to configure OIDC for the team
Team SettingsAlertsSelect to grant the team the permission to configure Alerts for the team
Team SettingsResource quotaSelect to grant the team the permission to configure Resource Quota for the team
Team settingsNetwork policySelect to grant the team the permission to configure network polices
AccessShellSelect to grant the team the permission to use the cloud shell
AccessDownload kube configSelect to grant the team the permission to download the KubeConfig to get Kube API access to the teams namespace
AccessDownload docker configSelect to grant the team the permission to download the Dockerconfig for the teams project in Harbor
AccessDownload certificate authoritySelect to grant the team the permission to download the CA (only when APL is deployed with a generated CA)