universe-k8s-tenant-resource-plugin is a Kubernetes operator built with operator-sdk.

The main goal of the universe-k8s-tenant-resource-plugin is to expose Kubernetes native API in the tenant cluster for managing Kubernetes resources in the infrastructure cluster.

universe-k8s-tenant-resource-plugin use universe.resource.v1 GRPC API to provision resource in infrastructure cluster.

universe-k8s-tenant-resource-plugin expose CRD based API in Tenant cluster, supported object types are:


universe-k8s-tenant-resource-plugin uses Update rpc call of the universe.resource.v1 GRPC API to create and update resources in the infrastructure cluster.

The Update call is implemented as a server-side apply. Server-side apply implements more strict validation than create call. In some cases kubectl create call can accept a request with an invalid object spec with a Warning message, but if the same object will be used in the server-side update call, then the request may fail.

Main registry:



Alternative registry:





Default value

namespace namespace to watch Universe CRDs default
periodic-check-interval check interval for resources in infrastructure cluster (in seconds) 5
universe-resource-api-address address of the universe.resource.v1 API, usually address of the proxy sidecar

universe-k8s-tenant-resource-plugin doesn’t support TLS and injection of the required GRPC metadata (check universe.resource.v1 GRPC API for detail).

Usually universe-k8s-tenant-resource-plugin is deployed with Envoy-based universe-grpc-proxy sidecar container which implements all required features.

Sidecar container is responsible for forwarding universe-k8s-tenant-resource-plugin requests to universe-infra-api-gateway in a secure manner.

Previous Tenant control plane components
Next universe-k8s-tenant-workload-plugin
© Copyright 2023, NVIDIA. Last updated on Feb 7, 2024.