Platform Mesh

Appearance

Next Steps

Accessing KCP Admin

Platform Mesh uses KCP (Kubernetes-like Control Plane) to provide multi-tenant control planes. The admin kubeconfig provides full visibility into all KCP workspaces across the entire Platform Mesh instance.

Admin Access

The admin kubeconfig shown here is for platform administrators who need visibility across all workspaces.

bash
export KUBECONFIG=$(pwd)/.secret/kcp/admin.kubeconfig

This gives you access to the root workspace and organization management.

You can then:

  1. Switch between workspaces:

    bash
    kubectl kcp workspace use <workspace-name>

  2. List available workspaces:

    bash
    kubectl get workspaces

Exploring the Platform

  • Browse the Onboarding Portal to see available services
  • Create service bindings using kubectl
  • Explore the multi-tenant architecture through different organization workspaces

Email Confirmations in Local Setup

When you register or create an organization, the system sends confirmation emails. Since this is a local setup, no real emails are sent. Instead, all emails can be viewed in the Mailpit application that's deployed as part of the local setup.

Access Mailpit at: https://portal.dev.local:8443/mailpit/

You can use Mailpit to view all sent emails and test email workflows without needing a real email server.

Accessing Keycloak

Keycloak is the default identity provider used for authentication in Platform Mesh. Administrators can access the Keycloak admin console to manage users, roles, and authentication settings.

URL: https://portal.dev.local:8443/keycloak

Credentials:

  • Username: keycloak-admin
  • Password: admin

Local Setup Only

These default credentials are for the local development environment only. In production deployments, use secure credentials and follow your organization's security policies.

The screenshot below shows a "default" realm that was automatically created when an organization named "default" was onboarded to Platform Mesh. After completing the Example MSP walkthrough, you can return here to see how your organization appears as a dedicated realm in Keycloak.

Keycloak Admin

Accessing OpenFGA

OpenFGA is the central relationship-based authorization system used by Platform Mesh. You can access the OpenFGA Playground to explore and test authorization models and relationships.

First, set up port forwarding to the OpenFGA service:

bash
kubectl port-forward -n platform-mesh-system svc/openfga 3000 8080 8081

Then access the OpenFGA Playground at: http://localhost:3000/playground

The screenshot below displays the "default" organization's authorization data in OpenFGA, created during organization onboarding. Once you complete the Example MSP tutorial and create your own organization, you can explore how Platform Mesh provisions the corresponding authorization relationships here.

OpenFGA Admin

EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

Platform Mesh is a project of NeoNephos Foundation. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.