From 1b58d9c1334e6b62af32abc602d8a135c8a986bc Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Tue, 23 Jan 2024 15:12:48 +0100 Subject: [PATCH 01/11] feat: configuring a user namespace Signed-off-by: Anatolii Bazko --- modules/administration-guide/nav.adoc | 1 + .../pages/configuring-a-user-namespace.adoc | 96 +++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 modules/administration-guide/pages/configuring-a-user-namespace.adoc diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc index df151325ad..1ee8687645 100644 --- a/modules/administration-guide/nav.adoc +++ b/modules/administration-guide/nav.adoc @@ -42,6 +42,7 @@ *** xref:deploying-che-with-support-for-git-repositories-with-self-signed-certificates.adoc[] *** xref:configuring-workspaces-nodeselector.adoc[] *** xref:configuring-the-open-vsx-registry-url.adoc[] +*** xref:configuring-a-user-namespace.adoc[] ** xref:caching-images-for-faster-workspace-start.adoc[] *** xref:defining-the-list-of-images-to-pull.adoc[] *** xref:defining-the-memory-parameters-for-the-image-puller.adoc[] diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc new file mode 100644 index 0000000000..e233d76948 --- /dev/null +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -0,0 +1,96 @@ +:_content-type: PROCEDURE +:description: Configuring a user namespace +:keywords: administration guide, configuring, user, namespace +:navtitle: Configuring a user namespace +:page-aliases: + +[id="configuring-a-user-namespace"] += Configuring a user namespace + +This procedure walks through the process of using the {prod-short} +to replicate `ConfigMaps`, `Secrets` and `PersistentVolumeClaim` from `{prod-namespace}` namespace to numerous +user-specific namespaces. The operator automates the synchronization of important configuration +data such as passwords, ssh-keys, certificates etc to users' namespaces. + +If a {kubernetes} resource is changed in an {prod-namespace} namespace, +the operator will immediately replicate the changes across all users namespaces. +In reverse, if a {kubernetes} resource is modified in a user namespace, +the operator will immediately revert the changes. + +The special logic is used for 'PersistentVolumeClaim' resources. If a 'PersistentVolumeClaim' +is updated in {prod-namespace} or user namespaces, it will not be replicated or reverted due +to its readonly specification. To modify the 'PersistentVolumeClaim' specification, delete it and create a new one +in {prod-namespace} namespace. + +.Procedure +* Create the `ConfigMap` below to replicate it to every user namespace. ++ +The following labels will be added to a replicated ConfigMap automatically: +`"controller.devfile.io/watch-configmap":"true"` and `"controller.devfile.io/mount-to-devworkspace":"true"`. ++ +To enhance the configurability, you can customize the `Secret` by adding additional labels and annotations. +See the link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] +for other possible setup labels and annotations. ++ +[source,yaml,subs="+attributes,+quotes"] +---- +kind: ConfigMap +apiVersion: v1 +metadata: + name: user-configmap + namespace: {prod-namespace} + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config +data: +... +---- + +* Create the `Secret` below to replicate it to every user namespace. ++ +The following labels will be added to a replicated Secret automatically: +`"controller.devfile.io/watch-secret":"true"` and `"controller.devfile.io/mount-to-devworkspace":"true"`. ++ +To enhance the configurability, you can customize the `Secret` by adding additional labels and annotations. +See the link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] +for other possible setup labels and annotations. ++ +[source,yaml,subs="+attributes,+quotes"] +---- +kind: Secret +apiVersion: v1 +metadata: + name: user-secret + namespace: {prod-namespace} + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config +stringData: +... +---- + +* Create the `PersistentVolumeClaim` below to replicate it to every user namespace. ++ +To enhance the configurability, you can customize the `PersistentVolumeClaim` by adding additional labels and annotations. +See the link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] +for other possible setup labels and annotations. ++ +[source,yaml,subs="+attributes,+quotes"] +---- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: user-pvc + namespace: eclipse-che + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config +spec: +... +---- + +.Additional resources +* xref:end-user-guide:mounting-configmaps.adoc[] +* xref:end-user-guide:mounting-secrets.adoc[] +* link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] + From 70c72e92daf8e2249584c84b0da9affa205ac7c0 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 25 Jan 2024 10:56:26 +0100 Subject: [PATCH 02/11] Update modules/administration-guide/pages/configuring-a-user-namespace.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-a-user-namespace.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index e233d76948..357b6afe65 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -10,7 +10,7 @@ This procedure walks through the process of using the {prod-short} to replicate `ConfigMaps`, `Secrets` and `PersistentVolumeClaim` from `{prod-namespace}` namespace to numerous user-specific namespaces. The operator automates the synchronization of important configuration -data such as passwords, ssh-keys, certificates etc to users' namespaces. +data such as passwords, SSH keys, and certificates to user namespaces. If a {kubernetes} resource is changed in an {prod-namespace} namespace, the operator will immediately replicate the changes across all users namespaces. From 44c7953cd1d862440b72c5666700c4e04f747d9c Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Tue, 30 Jan 2024 10:22:27 +0100 Subject: [PATCH 03/11] Update modules/administration-guide/pages/configuring-a-user-namespace.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-a-user-namespace.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index 357b6afe65..d3d813a320 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -7,7 +7,7 @@ [id="configuring-a-user-namespace"] = Configuring a user namespace -This procedure walks through the process of using the {prod-short} +This procedure walks you through the process of using {prod-short} to replicate `ConfigMaps`, `Secrets` and `PersistentVolumeClaim` from `{prod-namespace}` namespace to numerous user-specific namespaces. The operator automates the synchronization of important configuration data such as passwords, SSH keys, and certificates to user namespaces. From cbbb1473d5f096d1fd1a9360625cce0d636b7f6a Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Tue, 30 Jan 2024 10:23:00 +0100 Subject: [PATCH 04/11] Update modules/administration-guide/pages/configuring-a-user-namespace.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-a-user-namespace.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index d3d813a320..e14e1c8d09 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -12,7 +12,7 @@ to replicate `ConfigMaps`, `Secrets` and `PersistentVolumeClaim` from `{prod-nam user-specific namespaces. The operator automates the synchronization of important configuration data such as passwords, SSH keys, and certificates to user namespaces. -If a {kubernetes} resource is changed in an {prod-namespace} namespace, +If you make changes to a {kubernetes} resource in an {prod-namespace} namespace, the operator will immediately replicate the changes across all users namespaces. In reverse, if a {kubernetes} resource is modified in a user namespace, the operator will immediately revert the changes. From a0555eba071fce8bb5e4073ad6a5e9a0c64b4463 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Tue, 30 Jan 2024 10:24:37 +0100 Subject: [PATCH 05/11] Update modules/administration-guide/pages/configuring-a-user-namespace.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-a-user-namespace.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index e14e1c8d09..b8de8b2c53 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -17,8 +17,8 @@ the operator will immediately replicate the changes across all users namespaces. In reverse, if a {kubernetes} resource is modified in a user namespace, the operator will immediately revert the changes. -The special logic is used for 'PersistentVolumeClaim' resources. If a 'PersistentVolumeClaim' -is updated in {prod-namespace} or user namespaces, it will not be replicated or reverted due +Special logic is used for 'PersistentVolumeClaim' resources. If you update 'PersistentVolumeClaim' +in {prod-namespace} or user namespaces, it will not be replicated or reverted due to its readonly specification. To modify the 'PersistentVolumeClaim' specification, delete it and create a new one in {prod-namespace} namespace. From a1cb7c89e13c74ce0fc66440788833df9f013a37 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Tue, 30 Jan 2024 10:24:44 +0100 Subject: [PATCH 06/11] Update modules/administration-guide/pages/configuring-a-user-namespace.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-a-user-namespace.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index b8de8b2c53..ca75282132 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -19,7 +19,7 @@ the operator will immediately revert the changes. Special logic is used for 'PersistentVolumeClaim' resources. If you update 'PersistentVolumeClaim' in {prod-namespace} or user namespaces, it will not be replicated or reverted due -to its readonly specification. To modify the 'PersistentVolumeClaim' specification, delete it and create a new one +to its read-only specification. To modify the 'PersistentVolumeClaim' specification, delete it and create a new one in {prod-namespace} namespace. .Procedure From 84fc69978bf45be1113a52f79f70f343b5959903 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Tue, 30 Jan 2024 10:24:56 +0100 Subject: [PATCH 07/11] Update modules/administration-guide/pages/configuring-a-user-namespace.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-a-user-namespace.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index ca75282132..ceea6149b0 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -23,7 +23,7 @@ to its read-only specification. To modify the 'PersistentVolumeClaim' specificat in {prod-namespace} namespace. .Procedure -* Create the `ConfigMap` below to replicate it to every user namespace. +. Create the `ConfigMap` below to replicate it to every user namespace. + The following labels will be added to a replicated ConfigMap automatically: `"controller.devfile.io/watch-configmap":"true"` and `"controller.devfile.io/mount-to-devworkspace":"true"`. @@ -46,7 +46,7 @@ data: ... ---- -* Create the `Secret` below to replicate it to every user namespace. +. Create the `Secret` below to replicate it to every user namespace. + The following labels will be added to a replicated Secret automatically: `"controller.devfile.io/watch-secret":"true"` and `"controller.devfile.io/mount-to-devworkspace":"true"`. @@ -69,7 +69,7 @@ stringData: ... ---- -* Create the `PersistentVolumeClaim` below to replicate it to every user namespace. +. Create the `PersistentVolumeClaim` below to replicate it to every user namespace. + To enhance the configurability, you can customize the `PersistentVolumeClaim` by adding additional labels and annotations. See the link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] From d6de623f6cf00cf041a03484c40ed50d050ced50 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Tue, 30 Jan 2024 10:26:14 +0100 Subject: [PATCH 08/11] Update modules/administration-guide/pages/configuring-a-user-namespace.adoc --- .../pages/configuring-a-user-namespace.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index ceea6149b0..303ecc0196 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -81,7 +81,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: user-pvc - namespace: eclipse-che + namespace: {prod-namespace} labels: app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: workspaces-config From 1bce97117f60338b57d6e8a03e69985d3083b913 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 31 Jan 2024 10:46:19 +0100 Subject: [PATCH 09/11] Improvements Signed-off-by: Anatolii Bazko --- .../pages/configuring-a-user-namespace.adoc | 128 +++++++++++++++--- 1 file changed, 107 insertions(+), 21 deletions(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index 303ecc0196..b7b38fb192 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -9,7 +9,7 @@ This procedure walks you through the process of using {prod-short} to replicate `ConfigMaps`, `Secrets` and `PersistentVolumeClaim` from `{prod-namespace}` namespace to numerous -user-specific namespaces. The operator automates the synchronization of important configuration +user-specific namespaces. The {prod-short} automates the synchronization of important configuration data such as passwords, SSH keys, and certificates to user namespaces. If you make changes to a {kubernetes} resource in an {prod-namespace} namespace, @@ -17,20 +17,12 @@ the operator will immediately replicate the changes across all users namespaces. In reverse, if a {kubernetes} resource is modified in a user namespace, the operator will immediately revert the changes. -Special logic is used for 'PersistentVolumeClaim' resources. If you update 'PersistentVolumeClaim' -in {prod-namespace} or user namespaces, it will not be replicated or reverted due -to its read-only specification. To modify the 'PersistentVolumeClaim' specification, delete it and create a new one -in {prod-namespace} namespace. - .Procedure + . Create the `ConfigMap` below to replicate it to every user namespace. -+ -The following labels will be added to a replicated ConfigMap automatically: -`"controller.devfile.io/watch-configmap":"true"` and `"controller.devfile.io/mount-to-devworkspace":"true"`. -+ -To enhance the configurability, you can customize the `Secret` by adding additional labels and annotations. +To enhance the configurability, you can customize the `ConfigMap` by adding additional labels and annotations. See the link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] -for other possible setup labels and annotations. +for other possible labels and annotations. + [source,yaml,subs="+attributes,+quotes"] ---- @@ -43,17 +35,38 @@ metadata: app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: workspaces-config data: -... + ... +---- ++ +.Mounting a `settings.xml` file to a user workspace: +==== +[source,yaml,subs="+attributes,+quotes"] ---- +kind: ConfigMap +apiVersion: v1 +metadata: + name: user-settings-xml + namespace: {prod-namespace} + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config + annotations: + controller.devfile.io/mount-as: subpath + controller.devfile.io/mount-path: /home/user/.m2 +data: + settings.xml: | + + /home/user/.m2/repository + true + false + +---- +==== . Create the `Secret` below to replicate it to every user namespace. -+ -The following labels will be added to a replicated Secret automatically: -`"controller.devfile.io/watch-secret":"true"` and `"controller.devfile.io/mount-to-devworkspace":"true"`. -+ To enhance the configurability, you can customize the `Secret` by adding additional labels and annotations. See the link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] -for other possible setup labels and annotations. +for other possible labels and annotations. + [source,yaml,subs="+attributes,+quotes"] ---- @@ -65,16 +78,78 @@ metadata: labels: app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: workspaces-config +data: + ... +---- ++ +.Mounting certificates to a user workspace: +==== +[source,yaml,subs="+attributes,+quotes"] +---- +kind: Secret +apiVersion: v1 +metadata: + name: user-certificates + namespace: {prod-namespace} + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config + annotations: + controller.devfile.io/mount-as: subpath + controller.devfile.io/mount-path: /etc/pki/ca-trust/source/anchors +stringData: + trusted-certificates.crt: | + ... +---- +NOTE: Run `update-ca-trust` command on workspace startup to import certificates. +It can be achieved manually or by adding this command to a `postStart` event in a devfile. +See the link:https://devfile.io/docs/2.2.2/adding-event-bindings#post-start-object[Adding event bindings in a devfile]. +==== ++ +.Mounting environment variables to a user workspace: +==== +[source,yaml,subs="+attributes,+quotes"] +---- +kind: Secret +apiVersion: v1 +metadata: + name: user-env + namespace: {prod-namespace} + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config + annotations: + controller.devfile.io/mount-as: env stringData: -... + ENV_VAR_1: value_1 + ENV_VAR_2: value_2 ---- +==== . Create the `PersistentVolumeClaim` below to replicate it to every user namespace. + To enhance the configurability, you can customize the `PersistentVolumeClaim` by adding additional labels and annotations. See the link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] -for other possible setup labels and annotations. +for other possible labels and annotations. ++ +To modify the 'PersistentVolumeClaim', delete it and create a new one in {prod-namespace} namespace. ++ +[source,yaml,subs="+attributes,+quotes"] +---- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: user-pvc + namespace: {prod-namespace} + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config +spec: + ... +---- + +.Mounting a `PersistentVolumeClaim` to a user workspace: +==== [source,yaml,subs="+attributes,+quotes"] ---- apiVersion: v1 @@ -85,12 +160,23 @@ metadata: labels: app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: workspaces-config + controller.devfile.io/mount-to-devworkspace: 'true' + annotations: + controller.devfile.io/mount-path: ____ <1> + controller.devfile.io/read-only: 'true' spec: -... + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + volumeMode: Filesystem ---- +==== .Additional resources * xref:end-user-guide:mounting-configmaps.adoc[] * xref:end-user-guide:mounting-secrets.adoc[] +* xref:end-user-guide:requesting-persistent-storage-for-workspaces.adoc[] * link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] From f16b96b10f70d48eb6eaa29a2bd9d52136b65940 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 31 Jan 2024 11:08:41 +0100 Subject: [PATCH 10/11] fixups Signed-off-by: Anatolii Bazko --- .../pages/configuring-a-user-namespace.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index b7b38fb192..713af6e7dd 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -162,7 +162,7 @@ metadata: app.kubernetes.io/component: workspaces-config controller.devfile.io/mount-to-devworkspace: 'true' annotations: - controller.devfile.io/mount-path: ____ <1> + controller.devfile.io/mount-path: /home/user/data controller.devfile.io/read-only: 'true' spec: accessModes: From 4cff5991c99852aeb63cbf7d173f901f75087130 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 31 Jan 2024 16:20:37 +0100 Subject: [PATCH 11/11] fixups Signed-off-by: Anatolii Bazko --- .../pages/configuring-a-user-namespace.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index 713af6e7dd..70001fd235 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -13,9 +13,9 @@ user-specific namespaces. The {prod-short} automates the synchronization of impo data such as passwords, SSH keys, and certificates to user namespaces. If you make changes to a {kubernetes} resource in an {prod-namespace} namespace, -the operator will immediately replicate the changes across all users namespaces. +{prod-short} will immediately replicate the changes across all users namespaces. In reverse, if a {kubernetes} resource is modified in a user namespace, -the operator will immediately revert the changes. +{prod-short} will immediately revert the changes. .Procedure