kubesphere-devops-tenantlisted

# KubeSphere DevOps Tenant Operations ## Overview This guide covers DevOps operations for **namespace-scoped tenants** who: - Have admin/operator permissions within their DevOpsProject namespace(s) - **Cannot** access `kubesphere-devops-system` (Jenkins secrets, tokens) - **Cannot** call Jenkins APIs directly - Must use **KubeSphere APIs** (`/kapis/devops.kubesphere.io/`) for all operations - Use **KubeSphere authentication** (OAuth tokens), not Jenkins tokens **Critical Distinction:** DevOps projects are **namespaces**, not DevOpsProject CRs. To list accessible DevOps projects: ```bash # Correct - lists namespaces (DevOps projects) tenant can access GET /clusters/{cluster}/kapis/devops.kubesphere.io/v1alpha3/workspaces/{workspace}/namespaces # Wrong - requires cluster-admin, returns 403 for tenants GET /clusters/{cluster}/apis/devops.kubesphere.io/v1alpha3/devopsprojects ``` ## When to Use - Operating as a project admin/operator (not cluster admin) - Working within tenant namespace boundaries - No access to Jenkins secrets in `kubesphere-devops-system` - Need to trigger pipelines via KubeSphere API - Building automation for namespace-scoped users - Developing tenant-facing tooling ## Tenant vs Admin Permissions | Capability | Tenant (Namespace) | Admin (Cluster) | |------------|-------------------|-----------------| | Access DevOpsProject | ✅ Own namespace(s) | ✅ All namespaces | | Create/Edit Pipelines | ✅ In own namespace | ✅ Any namespace | | View PipelineRuns | ✅