Get started in less than 5 minInstall now
Knodex logo
Knodex
Demo
All Tiers

Projects: Team Isolation Made Simple

Give every team their own space. No more namespace collisions or permission headaches.

The Challenge

"

We have multiple teams sharing the same cluster, but I need to ensure they can only deploy to their own namespaces. Managing this with raw Kubernetes RBAC is a nightmare.

Multi-tenancy in Kubernetes requires complex RBAC configuration, namespace management, and policy enforcement. Teams familiar with ArgoCD know the pain and expect the same project-based model.

The Solution

ArgoCD-Aligned Project Model

Knodex implements a multi-tenant RBAC system aligned with ArgoCD patterns. Projects are defined as CRDs, each with its own namespace, custom roles, and Casbin-based policies. Map OIDC groups to roles directly in the Project spec. Two built-in global roles (admin and readonly) plus custom project-scoped roles (admin, developer, readonly, or your own) give you the same governance model ArgoCD teams already know, extended to the full deployment experience.

Back to Projects
default-project
Default Project
3 roles
1 destination
OverviewRolesDestinations
Project Roles
3 roles defined
Add Role
platform-admin
Full access to project resources
developerBuilt-in
Deploy and manage instances within the project
viewerBuilt-in
Read-only access to project resources

Key Capabilities

Multi-tenancy without the complexity

Project CRD with Namespace Isolation

Each project is a Kubernetes CRD that provisions its own namespace. Teams deploy within their space, and only their space. No cross-tenant access by default.

Custom Roles in Project Spec

Define admin, developer, readonly, or custom roles directly in the Project CRD. Each role carries explicit Casbin policies scoped to the project's resources.

OIDC Group Mapping

Map your identity provider groups to project roles. Users authenticate via OIDC and are automatically assigned permissions. No manual user provisioning.

Scoped Catalog Access

Label RGDs with a project to restrict catalog visibility. Only project members see team-specific services. Shared templates remain available to everyone.

Multi-Project Membership

Users can belong to multiple projects with different roles. An engineer can be admin on their team's project and readonly on another, and permissions resolve automatically by precedence.

Two Built-In Global Roles

Platform-wide admin and readonly roles for operators and auditors. No project configuration needed. Assign via OIDC group and get immediate cross-project access.

Organize Your Teams Today

Multi-tenancy shouldn't require a PhD in Kubernetes.

InstallView Pricing