Get started in less than 5 minInstall now
Knodex logo
Knodex
Demo
Enterprise

Organizations

Multi-tenant organization isolation for RGD catalog and instance visibility

Organizations provide multi-tenant isolation in Knodex Enterprise. Each Knodex deployment belongs to one organization, and RGDs can be scoped so that only the matching organization sees them.

Overview

The organization model has three layers:

LayerMechanismScope
Organizationknodex.io/organization labelIsolates RGDs between tenants
Projectknodex.io/project labelRestricts visibility within an org
Shared catalogNo scoping labelsVisible to all organizations

Most RGDs are shared across organizations (common infrastructure templates). Organization scoping is for tenant-specific templates that should not be visible to other tenants.

Configuration

Server Identity

Set the organization identity via the KNODEX_ORGANIZATION environment variable:

# Helm values.yaml
env:
  KNODEX_ORGANIZATION: "orgA"
ConfigurationBehavior
KNODEX_ORGANIZATION=orgAServer identifies as "orgA"
KNODEX_ORGANIZATION not setDefaults to "default"
KNODEX_ORGANIZATION=""Defaults to "default"

The server logs the configured organization at startup:

level=INFO msg="server configuration" organization=orgA

RGD Organization Scoping

Labeling RGDs

Add the knodex.io/organization label to restrict an RGD to a specific organization:

apiVersion: kro.run/v1alpha1
kind: ResourceGraphDefinition
metadata:
  name: org-specific-template
  labels:
    knodex.io/organization: orgA
  annotations:
    knodex.io/catalog: "true"
spec:
  # ... RGD spec

knodex.io/organization must be a label, not an annotation. The server reads it from metadata.labels only.

Visibility Rules

RGD ConfigurationVisible To
No knodex.io/organization labelAll organizations (shared catalog)
knodex.io/organization: "orgA"Only organization "orgA"
knodex.io/organization: "orgB"Only organization "orgB"

Filter Chain

Organization filtering applies as part of the catalog filter chain:

1. knodex.io/catalog: "true"    →  Must be set (gateway)
2. knodex.io/organization       →  Must match server org (Enterprise)
3. knodex.io/project            →  Must match user's project membership

An RGD must pass all applicable filters to appear in the catalog.

OSS Behavior

In OSS builds (no enterprise tag), organization filtering is not applied. All RGDs are visible regardless of the knodex.io/organization label. This ensures backward compatibility.

Examples

Shared RGD (All Organizations)

metadata:
  name: postgres-standard
  annotations:
    knodex.io/catalog: "true"
    knodex.io/description: "Standard PostgreSQL database"
    knodex.io/category: "database"
    # No organization label = visible to ALL orgs

Organization-Specific RGD

metadata:
  name: acme-payment-service
  labels:
    knodex.io/organization: acme-corp
  annotations:
    knodex.io/catalog: "true"
    knodex.io/description: "ACME payment processing service"
    knodex.io/category: "application"

Organization + Project Scoping

Combine organization and project scoping for fine-grained visibility:

metadata:
  name: acme-payments-internal
  labels:
    knodex.io/organization: acme-corp
    knodex.io/project: proj-payments-team
  annotations:
    knodex.io/catalog: "true"
    knodex.io/deployment-modes: "gitops"
    knodex.io/description: "Internal payment service for ACME payments team"

This RGD is visible only to members of proj-payments-team within the acme-corp organization.

Visibility Matrix

knodex.io/catalogknodex.io/organizationknodex.io/projectVisible To
"true"(not set)(not set)All authenticated users in all orgs
"true""orgA"(not set)All authenticated users in orgA
"true"(not set)proj-teamMembers of proj-team in all orgs
"true""orgA"proj-teamMembers of proj-team in orgA only
(not set)anyanyNo one (not in catalog)

UI Display

The organization name appears in the Knodex header when configured:

  • Named organization (KNODEX_ORGANIZATION=acme-corp): "acme-corp" displays in the header
  • Default (KNODEX_ORGANIZATION not set): Organization name is hidden

Long organization names are truncated with a tooltip showing the full name.

Back to: Enterprise Features | See also: Annotations & Labels