Planbok LogokubernetesPlanbok
Documentation

Core Concepts

Understanding the architectural model of Planbok K8s.

Tenants & Namespaces

The fundamental unit of isolation is the Tenant, which maps 1:1 to a Kubernetes Namespace.

  • Hard Scope: Your Kubeconfig is strictly scoped to your namespace (tenant-{id}). You cannot list, view, or modify resources outside of it.
  • Network Policy: A default `Deny-All` policy prevents your pods from communicating with other tenants' pods.

Virtual Nodes

Instead of managing raw servers, you purchase Virtual Nodes. These are abstract units of capacity (e.g., 2 vCPU, 4GB RAM) that determine your resource quota.

Buying more nodes -> Increases ResourceQuota -> Allows more Pods to be scheduled.

Secrets & Vault

We adhere to a strict Zero Trust model for secrets.

  • We do not store secrets in environment variables in our database.
  • We integrate with HashiCorp Vault.
  • You can use the ExternalSecret CRD to inject secrets securely at runtime.

Ingress & Domains

We use Traefik as the ingress controller. Every tenant gets a wildcard subdomain *.{tenant}.k8s.planbok.io automatically.