KubeVela
Application delivery platform implementing the Open Application Model on Kubernetes.
KubeVela is a CNCF project that implements the Open Application Model (OAM), providing a higher-level abstraction layer over raw Kubernetes resources. It lets platform teams define reusable ComponentDefinition and TraitDefinition building blocks, and lets app teams deploy via Application CRDs without dealing with raw Deployments, Services, or Ingresses. It is used in this cluster to provide a standardized application delivery API across multiple workloads, including the VelaUX web dashboard for visual application management.
Alternatives considered
Self Hosted
| Tool | Open Source | Full Features | Notes |
|---|---|---|---|
| Argo CD ApplicationSet | Yes | Yes | GitOps-only; no OAM abstraction layer |
| Kratix | Yes | Yes | Platform-as-a-product approach via Promises |
| Kustomize + Flux | Yes | Yes | No higher-level app abstraction; used alongside KubeVela here |
Installation
Architecture
HelmRelease kubevela in namespace kubevela-system, chart vela-core version 1.10.8 from https://charts.kubevela.net/core. Admission webhook enabled with cert-manager integration. VelaUX dashboard enabled (1 replica, ClusterIP service, ingress disabled). Leader election enabled. Built-in component definitions (webservice, k8s-objects, etc.) enabled. Webhook caBundle drift is ignored via driftDetection.ignore for multiple webhook paths.
Security
Pod securityContext: runAsNonRoot: true, runAsUser/Group/fsGroup: 1000, seccompProfile: RuntimeDefault. Container securityContext: allowPrivilegeEscalation: false, capabilities: drop: ALL. Admission webhook uses cert-manager for TLS. RBAC is cluster-wide (OAM controller needs to manage resources in any namespace).
Updates
Managed by Renovate. Chart version is semver-pinned (1.10.8).
Administration
Usage
Platform operators define ComponentDefinition and TraitDefinition resources to encapsulate Kubernetes patterns. Application owners create Application resources referencing those definitions to deploy workloads. The VelaUX dashboard provides a web UI for visualizing and managing applications. Traits such as ingress, scaling, and resource policies can be applied declaratively to components.
Cluster-specific deviations from the above live in the per-cluster README — see k8s/infrastructure/talos/controllers/kubevela/README.md.
Cluster Deployment
KubeVela — Talos cluster
Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/platform/kubevela.mdx.
Deviations from defaults
Defaults live in docusaurus/docs/platform/kubevela.mdx — document anything this cluster does differently here, with a one-line reason.
- HelmRelease:
vela-core@1.10.8 - HelmRepo:
kubevela(https://kubevela.github.io/charts)
Rendered manifests (kustomize build)
apiVersion: v1
data:
values.yaml: |
replicaCount: 1
image:
pullPolicy: IfNotPresent
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
# Enable admission webhook (recommended)
admissionWebhooks:
enabled: true
failurePolicy: Fail
certManager:
enabled: true
# Enable leader election (important if scaling >1 replica later)
leaderElection:
enabled: true
# Enable built-in definitions (webservice, k8s-objects, etc.)
velaCore:
builtinDefinition:
enabled: true
# Disable velaux dashboard (install separately if needed)
velaux:
enabled: true
replicaCount: 1
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
service:
type: ClusterIP
ingress:
enabled: false
# Logging
logLevel: info
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
kind: ConfigMap
metadata:
name: kubevela-values-ctgfh9hh2b
namespace: kubevela-system