Skip to main content

Getting Started with Konflux

Adopting new platforms is always challenging. While Konflux aims to use industry-standard terminology and processes, there are some additional concepts to be aware of. This page introduces the key ideas and Kubernetes Custom Resources that underpin everything Konflux does.

Key Concepts

Namespace

In Kubernetes, namespaces provide a foundational mechanism for isolating groups of resources within a single cluster. Konflux scopes all the resources and APIs you interact with to namespaces — including your components, applications, snapshots, secrets, and the Tekton PipelineRuns that perform builds, tests, and releases.

Kubernetes namespaces docs

Tenant Namespace

Tenant namespaces are where Tekton Pipelines produce artifacts accessible by multiple team members according to their roles and permissions. In Konflux, you operate in a tenant namespace scoped to your team. One team can span multiple namespaces if needed, each with many applications and components.

  • Create components and applications
  • Run the Tekton PipelineRuns defined in your Git repositories
  • View and iterate on the results of your IntegrationTestScenarios
  • Create releases for specific snapshots according to your ReleasePlans

Managed Namespaces

Managed namespaces are where you manage release pipelines and credentials for your organization. The primary interaction between a tenant and managed namespaces involves creating a release in a tenant namespace that references a specific snapshot in the managed namespace, then triggering the release pipeline for that snapshot.

OCI Artifact

When you create a component in Konflux, the system pushes a build pipeline to the Git repository in the .tekton directory and installs a webhook. Upon a new push or pull request, the system runs the pipeline defined in the Git repository, describing the process necessary to build and test a specific artifact.

Build Pipeline

When you create a component in Konflux, the system pushes a build pipeline to the Git repository in the .tekton directory and installs a webhook. Upon a new push or pull request, the system runs the pipeline defined in the Git repository, describing the process necessary to build and test a specific artifact.

Build Tasks
  • Cloning the Git repository
  • Prefetching dependencies
  • Building the OCI artifact
  • Building the source SBOM
  • Generating the source container
Test Tasks
  • Running Snyk scans
  • Checking for CVEs with clair-in-ci
  • Running an antivirus scan on the artifact
Pipelines as Code (PaC)

Custom Resources

All Konflux APIs are Kubernetes Custom Resources (CRs). This means standard tools like kubectl can understand and interact with them just like Pods or Deployments.

Component

Describes the properties of an OCI artifact — including the Git repository from which the artifact originates, the latest built commit, initial build configuration parameters, and relationships to other components. Component names are unique in a namespace.

Application

An Application CR owns multiple components and logically groups them in the UI. When a new component's build pipeline completes, the Integration Service creates a new snapshot from each of the Component CRs, as well as the just-produced component artifact. IntegrationTestScenarios use this output to run.

Snapshot

An immutable set of component references, created from each push or pull request events. A snapshot defines a set of components which are either tested or released together. Note that at any point in time, a given snapshot might not necessarily represent the latest built artifacts for all components in your namespace.

IntegrationTestScenario

A Tekton Pipeline that defines a test to run against an entire snapshot. The Integration Service runs all configured ITSs for the snapshot's application, including a default ITS for every new application to enable EnterpriseContractPolicy checks. Each ITS can be configured as optional for release.

EnterpriseContractPolicy

Konflux follows a "build once, release multiple times" mentality. You codify build requirements in an EnterpriseContractPolicy CR. When evaluated against a snapshot, it returns a single result based on the highest violation — if any single component fails, the overall result is a failure.

ReleasePlan

Maps an Application you want to release to a release action. Defines the process to release future Snapshots of your Application in the managed namespace, determines whether automatic releases are enabled, and whether you want to provide additional data to each future release pipeline.

ReleasePlanAdmission

Created in the managed namespace, this CR defines the specific pipeline to run and a given EnterpriseContractPolicy which must pass for each snapshot before that pipeline can proceed. It also establishes essential details about the delivery of your content.

Release

Every time you want to release newly built artifacts, you create a Release CR in your tenant namespace. It represents your intent to release some content and, when present, will initiate the push of content. A Release CR references a specific Snapshot and ReleasePlan. ReleasePlans can also be configured for auto-release.

Quick Links

Try Konflux Locally

Run Konflux on Kind or OpenShift

Documentation

Full reference and guides

Glossary

Key terms and definitions

Kubernetes CRs

Konflux API reference

Community

Slack, forums & events

Ready to try Konflux?

Follow the local installation guide to run Konflux on your own cluster.