Skip to main content

Provisioner Service

The Provisioner is the platform component responsible for the full lifecycle of a workspace in Kubernetes — from assembling its configuration to creating or removing its resources.

The diagram below shows a high-level architecture with the Provisioner as the core component.

The following sequence outlines the high-level interaction points for provisioner.

  • Connectivity. The API server and SSH Proxy interact with the Provisioner to look up workspaces, request provisioning, and trigger workspace deletion.
  • Blueprint assembly. Before any Kubernetes resource is created, the blueprint manager resolves and assembles the workspace blueprint. Blueprints can inherit from higher-level definitions, and the manager merges the inheritance chain into a single resolved configuration that drives all subsequent steps.
  • Resource provisioning. The Provisioner verifies users' identity, retrieves custom blueprints and assembles final workspace blueprint.
  • Authorization. The Provisioner evaluates authorization policies for workspace provisioning and applies any obligations that may alter the final assembled blueprint. See Workspace domain for more details.
  • Provisioning. The Provisioner uses the Kubernetes API to create the workspace resource set. Depending on the deployment model, it either creates a standalone pod or injects the workspace into an existing workload by patching its pod template.
  • Startup monitoring. The Provisioner monitors the workspace startup process and publishes provisioning events to NATS. These events can be queried via the workspace status API and track progression until the workspace is ready or a failure is detected.
  • Deletion and eject. When a workspace is stopped or deleted, the Provisioner removes the associated Kubernetes resources. For injected workspaces it performs an eject — reversing the pod template patch and deleting the namespaced resources created at injection time.