ADR 40: Workspace deprecation

[gbenhaim]

This ADR revisit the concept of a Workspace and suggests an alternative for it.

[ralphbean]

In the comments, you allude to kyverno as an alternative tool. I see in their docs about generate rules how kyverno could be used to put quotas and other foundational resources in place when a user tenant namespace is created. That helps with workspace provisioning by populating new workspaces, but it doesn't on its own solve how to create namespaces in the first place. How will tenant namespaces be created in the first place?

[gbenhaim]

In the comments, you allude to kyverno as an alternative tool. I see in their docs about generate rules how kyverno could be used to put quotas and other foundational resources in place when a user tenant namespace is created. That helps with workspace provisioning by populating new workspaces, but it doesn't on its own solve how to create namespaces in the first place. How will tenant namespaces be created in the first place?

@ralphbean, @arewm I imagine a button in the UI that will let the authenticated user to create a namespace. Kyverno can be used for giving the user that issued the request admin permissions on the namespace. Kyverno can be also used for limiting the amount of namespaces each user can create. If giving a permissions to any user to create a namespace is to permissive, I can imagine giving the permissions to a subset of people in the organization (such as project/program managers) and then they can create namespaces for their teams.

There can be also non-ui flow. Create the namespaces using Gitops, in this case the role binding for the admin user would be needed to be specified explicitly.

[gbenhaim]

I accepted some of the suggestions, and tried to provide feedback to all of the comments. If there won't be any objections I close all the threads early next week and the next step will be to merge this PR.