// the find
loft-sh/kiosk
kiosk 🏢 Multi-Tenancy Extension For Kubernetes - Secure Cluster Sharing & Self-Service Namespace Provisioning
kiosk adds multi-tenancy primitives to any standard Kubernetes cluster: Accounts map to tenants, Spaces are virtual namespace wrappers, and AccountQuotas enforce aggregate resource limits across all namespaces a tenant owns. It targets platform teams who need to share a single cluster among multiple teams or customers without running a full Kubernetes distribution. The repo is archived and no longer maintained.
The Space abstraction over namespaces is genuinely clever — by using a virtual API resource backed by an API server extension rather than a CRD, kiosk can return filtered namespace lists per user, which raw Kubernetes RBAC cannot do. AccountQuota aggregating resource usage across multiple namespaces solves a real gap that native ResourceQuotas miss. Template + TemplateInstance tracking with optional sync is a clean pattern for namespace bootstrapping that avoids ad-hoc init scripts. The Helm chart install path is simple and the RBAC design is layered correctly: admins configure, users self-serve within those bounds.
The repo is archived — loft-sh moved on, and adopting this means owning the code yourself forever. It targets Kubernetes v1.14+, which means it predates several API changes (PodSecurityPolicy is removed in 1.25, Network Policy semantics shifted) and the templates in the examples reference deprecated resources. There is no built-in user management, which is not inherently wrong, but the docs punt to external solutions without a clear recommended path for most teams. Multi-cluster tenant management was listed as 'coming soon' in the roadmap and never shipped.