Installation mode types

In a Kubernetes cluster, Operators can be deployed in different modes concerning the namespace setup. The default installation mode for Airlock Microgateway is AllNamespaces with a single Operator managing all web application Pods with SidecarGateways in a cluster. This is the only installation mode that can be used with the Community edition license.
For a production environment, multi-namespace installations are commonly used where Airlock Microgateway Operator can watch and operate web application Pods installed in multi-namespace setups. This allows, i.e., to separate production from staging and development.

To achieve an optimum level of segregation and low memory consumption of the Operator, we recommend using a static rather than a dynamic MultiNamespace installation.

The installation modes can be configured via the Microgateway Operator Helm chart by setting the operator.watchNamespaces and operator.watchNamespaceSelector values.

Cluster-scoped installation modes

Role-based access control (RBAC) is created cluster-scoped (using ClusterRoles and ClusterRoleBindings) in the respective cluster for the following installation modes:

AllNamespaces (default)

Dynamic MultiNamespace

In a simple AllNamespace installation mode, the Airlock Microgateway Operator and web application Pods with SidecarGateways can be deployed in multiple separate namespaces.

In a dynamic MultiNamespace installation mode, the Airlock Microgateway Operator and web application Pods with SidecarGateways in multiple separate namespaces.

AllNamespaces
DynamicMultiNamespaces

The Operator watches all namespaces. watchNamespaces and watchNamespaceSelector are not configured.

  • This mode is limited to a single Operator that watches all namespaces.

The Operator watches multiple namespaces where the watchNamespaceSelector matches the labels. For more information, see the Kubernetes label selectors documentation. You can use --set-json to set JSON values (scalars/objects/arrays) from the command line, see Helm install documentation.

  • matchLabels and matchExpressions are supported.
  • Namespaces can dynamically be added and removed from the watch scope by changing their labels. Restarting the application pods is required to complete the action. Restarting the Operator Pod is not required.
  • If several Operators are deployed, the administrator must ensure that namespaces exclusively match only one of the Operators.
  • The watchNamespaces list must be left empty.
  • This mode requires a Premium edition license.

Namespace-scoped installation modes

Role-based access control (RBAC) is created namespace-scoped (using Roles and RoleBindings) in the respective namespaces for the following installation modes:

Static MultiNamespace

SingleNamespace

OwnNamespace

In a static MultiNamespace installation mode, the Airlock Microgateway Operator and web application Pods with SidecarGateways in multiple separate namespaces.

In a SingleNamespace installation mode, the Airlock Microgateway Operator and one or more web application Pods with SidecarGateways are deployed in two separate namespaces.

In an OwnNamespace installation mode, the Airlock Microgateway Operator and one or more web application Pods with SidecarGateways share a single namespace.

StaticMultiNamespace
SingleNamespace
OwnNamespace

The Operator watches multiple namespaces according to the watchNamespaces list.

  • The watchNamespaces list contains a list of multiple namespaces that should be watched by the Operator.
  • If several Operators are deployed, the administrator must ensure that namespaces exclusively match only one of the Operators.
  • The watchNamespaceSelector list must be left empty.
  • This mode requires a Premium edition license.

The Operator watches a single namespace according to the watchNamespaces list.

  • The watchNamespaces list must contain the single namespace of the SidecarGateway resource.
  • If several Operators are deployed, the administrator must ensure that namespaces exclusively match only one of the Operators.
  • In this mode, the Helm test to verify the installation is not available. The test deployment must be disabled --set tests.enabled=false.
  • The watchNamespaceSelector list must be left empty.
  • This mode requires a Premium edition license.

The Operator watches all web application Pods with SidecarGateway in his namespace.

  • The Operator namespace must be added to the watchNamespaces list.
  • The watchNamespaceSelector list must be left empty.
  • This mode requires a Premium edition license.

General benefits and use cases of the available installation modes

Use cases

Installation mode

Multiple projects within an organization
Companies often have multiple projects under development simultaneously. Multi-namespace allows you to organize these projects independently without conflicts between resources.

Testing and staging environments
Create separate namespaces for testing and staging environments to ensure that changes made in one environment do not affect the other.

Upgrade scenario
Run different Airlock Microgateway versions in the same Kubernetes cluster. This is applicable for Airlock Microgateway versions 4.3 and later.

Static/Dynamic MultiNamespace

Multiple tenants in a shared cluster
In a shared cluster, you can use different namespaces for each tenant, providing an extra layer of isolation between them. The recommended installation mode is static MultiNamespace.

Static MultiNamespace

Self-contained installations
Installation mode OwnNamespace allows simple, namespace-scoped installations.

OwnNamespace