diff --git a/cmd/stackube-controller/stackube-controller.go b/cmd/stackube-controller/stackube-controller.go
index 7f18bca..26a64fa 100644
--- a/cmd/stackube-controller/stackube-controller.go
+++ b/cmd/stackube-controller/stackube-controller.go
@@ -24,8 +24,8 @@ var (
 		"path to kubernetes admin config file")
 	cloudconfig = pflag.String("cloudconfig", "/etc/stackube.conf",
 		"path to stackube config file")
-	systemCIDR    = pflag.String("system-cidr", "10.10.10.10/24", "system Pod network CIDR")
-	systemGateway = pflag.String("system-gateway", "10.10.10.1", "system Pod network gateway")
+	userCIDR    = pflag.String("user-cidr", "10.244.0.0/16", "user Pod network CIDR")
+	userGateway = pflag.String("user-gateway", "10.244.0.1", "user Pod network gateway")
 )
 
 func startControllers(kubeconfig, cloudconfig string) error {
@@ -43,10 +43,10 @@ func startControllers(kubeconfig, cloudconfig string) error {
 	}
 
 	// Creates a new RBAC controller
-	rm, err := rbacmanager.New(kubeconfig,
+	rm, err := rbacmanager.NewRBACController(kubeconfig,
 		tc.GetKubeCRDClient(),
-		*systemCIDR,
-		*systemGateway,
+		*userCIDR,
+		*userGateway,
 	)
 	if err != nil {
 		return err
diff --git a/pkg/auth-controller/rbacmanager/rbac_controller.go b/pkg/auth-controller/rbacmanager/rbac_controller.go
index 96032f1..04897c0 100644
--- a/pkg/auth-controller/rbacmanager/rbac_controller.go
+++ b/pkg/auth-controller/rbacmanager/rbac_controller.go
@@ -29,15 +29,15 @@ type Controller struct {
 	nsInf         cache.SharedIndexInformer
 	queue         workqueue.RateLimitingInterface
 	kubeCRDClient *crdClient.CRDClient
-	systemCIDR    string
-	systemGateway string
+	userCIDR      string
+	userGateway   string
 }
 
 // New creates a new RBAC controller.
-func New(kubeconfig string,
+func NewRBACController(kubeconfig string,
 	kubeCRDClient *crdClient.CRDClient,
-	systemCIDR string,
-	systemGateway string,
+	userCIDR string,
+	userGateway string,
 ) (*Controller, error) {
 	cfg, err := util.NewClusterConfig(kubeconfig)
 	if err != nil {
@@ -52,8 +52,8 @@ func New(kubeconfig string,
 		kclient:       client,
 		queue:         workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "rbacmanager"),
 		kubeCRDClient: kubeCRDClient,
-		systemCIDR:    systemCIDR,
-		systemGateway: systemGateway,
+		userCIDR:      userCIDR,
+		userGateway:   userGateway,
 	}
 
 	o.nsInf = cache.NewSharedIndexInformer(
@@ -146,15 +146,45 @@ func (c *Controller) handleNamespaceAdd(obj interface{}) {
 			glog.Error(err)
 			return
 		}
+	} else {
+		if err := c.createNetworkForTenant(key); err != nil {
+			glog.Error(err)
+			return
+		}
 	}
+
 	glog.V(4).Infof("Added namespace %s", key)
 	c.enqueue(key)
 }
 
+// createNetworkForTenant automatically create network for given non-system tenant
+func (c *Controller) createNetworkForTenant(namespace string) error {
+	network := &crv1.Network{
+		ObjectMeta: metav1.ObjectMeta{
+			// use the namespace name as network
+			Name:      namespace,
+			Namespace: namespace,
+		},
+		Spec: crv1.NetworkSpec{
+			CIDR:    c.userCIDR,
+			Gateway: c.userGateway,
+		},
+	}
+
+	// network controller will always check if Tenant is ready so we will not wait here
+	if err := c.kubeCRDClient.AddNetwork(network); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// initSystemReservedTenantNetwork automatically create tenant network for system namespace
 func (c *Controller) initSystemReservedTenantNetwork() error {
 	tenant := &crv1.Tenant{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      util.SystemTenant,
+			Name: util.SystemTenant,
+			// always add tenant to system namespace
 			Namespace: util.SystemTenant,
 		},
 		Spec: crv1.TenantSpec{
@@ -176,8 +206,8 @@ func (c *Controller) initSystemReservedTenantNetwork() error {
 			Namespace: util.SystemTenant,
 		},
 		Spec: crv1.NetworkSpec{
-			CIDR:    c.systemCIDR,
-			Gateway: c.systemGateway,
+			CIDR:    c.userCIDR,
+			Gateway: c.userGateway,
 		},
 	}
 
@@ -194,6 +224,7 @@ func (c *Controller) handleNamespaceDelete(obj interface{}) {
 	if !ok {
 		return
 	}
+
 	glog.V(4).Infof("Deleted namespace %s", key)
 	c.enqueue(key)
 }
diff --git a/pkg/auth-controller/tenant/tenant_controller.go b/pkg/auth-controller/tenant/tenant_controller.go
index 4bf3f34..9250b7b 100644
--- a/pkg/auth-controller/tenant/tenant_controller.go
+++ b/pkg/auth-controller/tenant/tenant_controller.go
@@ -137,6 +137,13 @@ func (c *TenantController) onDelete(obj interface{}) {
 		glog.V(4).Infof("Deleted ClusterRoleBinding %s", tenantName)
 	}
 
+	// Delete automatically created network
+	// TODO(harry) so that we can not deal with network with different name and namespace,
+	// we need to document that.
+	if err := c.kubeCRDClient.DeleteNetork(tenantName); err != nil {
+		glog.Errorf("failed to delete network for tenant: %v", tenantName)
+	}
+
 	//Delete namespace
 	err = c.deleteNamespace(tenantName)
 	if err != nil {
diff --git a/pkg/auth-controller/tenant/tenant_controller_helper.go b/pkg/auth-controller/tenant/tenant_controller_helper.go
index c858196..9f628aa 100644
--- a/pkg/auth-controller/tenant/tenant_controller_helper.go
+++ b/pkg/auth-controller/tenant/tenant_controller_helper.go
@@ -30,7 +30,7 @@ func (c *TenantController) syncTenant(tenant *crv1.Tenant) {
 		// Create tenant if the tenant not exist in keystone
 		tenantID, err := c.openstackClient.CreateTenant(tenant.Name)
 		if err != nil {
-			glog.Errorf("Failed create tenant %s: %v", tenant, err)
+			glog.Errorf("Failed create tenant %#v: %v", tenant, err)
 			return
 		}
 		// Create user with the spec username and password in the created tenant
diff --git a/pkg/kubecrd/crdclient.go b/pkg/kubecrd/crdclient.go
index bded13d..5c5d38e 100644
--- a/pkg/kubecrd/crdclient.go
+++ b/pkg/kubecrd/crdclient.go
@@ -9,6 +9,8 @@ import (
 	"k8s.io/client-go/rest"
 
 	crv1 "git.openstack.org/openstack/stackube/pkg/apis/v1"
+	"git.openstack.org/openstack/stackube/pkg/util"
+
 	"github.com/golang/glog"
 )
 
@@ -61,7 +63,7 @@ func (c *CRDClient) UpdateNetwork(network *crv1.Network) {
 func (c *CRDClient) UpdateTenant(tenant *crv1.Tenant) {
 	err := c.Client.Put().
 		Name(tenant.Name).
-		Namespace(tenant.Namespace).
+		Namespace(util.SystemTenant).
 		Resource(crv1.TenantResourcePlural).
 		Body(tenant).
 		Do().
@@ -74,12 +76,14 @@ func (c *CRDClient) UpdateTenant(tenant *crv1.Tenant) {
 	}
 }
 
+// GetTenant returns tenant from CRD
+// NOTE: all tenant are stored under system namespace
 func (c *CRDClient) GetTenant(tenantName string) (*crv1.Tenant, error) {
 	tenant := crv1.Tenant{}
 	// tenant always has same name and namespace
 	err := c.Client.Get().
 		Resource(crv1.TenantResourcePlural).
-		Namespace(tenantName).
+		Namespace(util.SystemTenant).
 		Name(tenantName).
 		Do().Into(&tenant)
 	if err != nil {
@@ -88,9 +92,11 @@ func (c *CRDClient) GetTenant(tenantName string) (*crv1.Tenant, error) {
 	return &tenant, nil
 }
 
+// AddTenant adds tenant to CRD
+// NOTE: all tenant are added to system namespace
 func (c *CRDClient) AddTenant(tenant *crv1.Tenant) error {
 	err := c.Client.Post().
-		Namespace(tenant.GetNamespace()).
+		Namespace(util.SystemTenant).
 		Resource(crv1.TenantResourcePlural).
 		Body(tenant).
 		Do().Error()
@@ -111,3 +117,16 @@ func (c *CRDClient) AddNetwork(network *crv1.Network) error {
 	}
 	return nil
 }
+
+func (c *CRDClient) DeleteNetork(namespace string) error {
+	// NOTE: the automatically created network for tenant use namespace as name
+	err := c.Client.Delete().
+		Resource(crv1.NetworkResourcePlural).
+		Namespace(namespace).
+		Name(namespace).
+		Do().Error()
+	if err != nil {
+		return fmt.Errorf("failed to delete Network: %v", err)
+	}
+	return nil
+}