Skip to content

feat(decision): add MCP namespace strategy in platform cluster #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Aug 20, 2025
Merged

feat(decision): add MCP namespace strategy in platform cluster #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
e5788b3
chore: update authors.yaml
maximiliantech Aug 19, 2025
28ea5c8
feat(decision): add MCP namespace strategy in platform cluster
maximiliantech Aug 19, 2025
5a49936
rephrase
maximiliantech Aug 19, 2025
3848386
rephrase
maximiliantech Aug 19, 2025
fe8eeab
update consequences
maximiliantech Aug 19, 2025
2ded2f8
fix: authors file
maximiliantech Aug 19, 2025
2ab71ab
Merge branch 'decision/mcp-namespace-strategy' of https://github.com/…
maximiliantech Aug 19, 2025
427f121
fix: complie error because of {}
maximiliantech Aug 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions adrs/2025-08-12-mcp-namespace-strategy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
authors:
- MaximilianTechritz
---

# MCP Namespace Strategy for Platform Cluster

## Context and Problem Statement

In the openMCP platform, we need to determine how to organize resources in the Platform Cluster that belong to Managed Control Planes (MCPs). Each MCP represents a separate tenant or customer environment that needs to be isolated and managed independently. The key question is: Should every MCP on the Platform Cluster have its own Namespace to ensure proper isolation, resource management, and security boundaries?

Without proper namespace isolation, MCPs could interfere with each other, leading to security vulnerabilities, resource conflicts, and operational complexity.

## Considered Options

1. **`mcp-{hash-mcp-name-and-namespace}`** - Create namespaces using a hash of the MCP name and original namespace (hash < 63 chars)
2. **`mcp-{uid}`** - Create namespaces using the UID of the MCP resource

## Decision Outcome

Option 1: `mcp-{hash-mcp-name-and-namespace`, because it provides unique namespace isolation for each MCP while avoiding conflicts and maintaining deterministic naming that survives backup/restore operations. Option 2 would have been simpler but does not work well with backup/restore scenarios, as the UID changes after a restore operation, breaking the link between the MCP and its namespace.

The hash algorithm we will use with Option 1 is [SHAKE128](https://pkg.go.dev/crypto/sha3#SumSHAKE128). It is an 128-bit algorithm that is FIPS compliant. The 128-bit output allows us to print the hash in the UUID v8 format. So the namespace could look something like `mcp-3f4b2c1d-8e9a-7b6c-5d4e-3f2a1b0c9d8e`.

### Consequences

- The old hash function `K8sNameHash` should not be used anymore.
7 changes: 7 additions & 0 deletions adrs/authors.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,10 @@ ValentinGerlach:
image_url: /img/authors/ValentinGerlach.png
socials:
github: ValentinGerlach

MaximilianTechritz:
name: Maximilian Techritz
title: openMCP Contributor
url: https://github.com/maximiliantech
socials:
github: maximiliantech