Tenant System Applications

System applications deployed under workloads/system/ have elevated privileges compared to regular applications. These system-level applications:

Can deploy cluster-scoped resources (ClusterRoles, CustomResourceDefinitions, etc.)
Run under a privileged ArgoCD project with higher permissions
Are typically used for infrastructure and platform components
Have access beyond namespace boundaries

This higher privilege level allows system applications to:

Install cluster-wide operators and controllers
Configure cluster-level security policies
Set up monitoring and logging infrastructure
Deploy shared services used by multiple applications

Usage Guidelines

Note

System applications have elevated permissions and can affect the entire cluster. Use caution when deploying system applications to avoid unintended consequences.

When deploying system applications:

Only place applications that truly need cluster-wide access under workloads/system/
Regular applications should remain under workloads/applications/ with standard namespace-scoped permissions
Follow the same deployment formats (Helm/Kustomize) as regular applications
Be cautious with elevated privileges to avoid unintended cluster-wide changes

The separation between system and regular applications helps maintain proper security boundaries while enabling necessary cluster-wide functionality.

Namespace Override

By default, applications are deployed into a namespace matching their folder name. However, system applications can override this default namespace using the namespace field:

Helm Example

helm:
  ## (Optional) The chart to use for the deployment.
  chart: ./charts/platform
  ## (Optional) The path inside a repository to the chart to use for the deployment.
  path: ./charts/platform
  ## (Required) The release name to use for the deployment.
  release_name: platform
  ## (Required) The version of the chart to use for the deployment.
  version: 0.1.0

namespace:
  ## Override the namespace
  name: kube-system