$ oc adm create-bootstrap-project-template -o yaml > template.yaml
In OKD, projects are used to group and isolate related objects. As an administrator, you can give developers access to certain projects, allow them to create their own, and give them administrative rights within individual projects.
You can allow developers to create their own projects. There is an endpoint
that will provision a project according to a
template. The web console and oc new-project
command use this endpoint when a developer creates a new project.
The API server automatically provisions projects based on the template that is
identified by the projectRequestTemplate
parameter of the
master-config.yaml file.
If the parameter is not defined, the API server creates a default template that
creates a project with the requested name, and assigns the requesting user to
the "admin" role for that project.
To create your own custom project template:
Start with the current default project template:
$ oc adm create-bootstrap-project-template -o yaml > template.yaml
Use a text editor to modify the template.yaml file by adding objects or modifying existing objects.
Load the template:
$ oc create -f template.yaml -n default
Modify the master-config.yaml file to reference the loaded template:
... projectConfig: projectRequestTemplate: "default/project-request" ...
When a project request is submitted, the API substitutes the following parameters into the template:
Parameter | Description |
---|---|
PROJECT_NAME |
The name of the project. Required. |
PROJECT_DISPLAYNAME |
The display name of the project. May be empty. |
PROJECT_DESCRIPTION |
The description of the project. May be empty. |
PROJECT_ADMIN_USER |
The username of the administrating user. |
PROJECT_REQUESTING_USER |
The username of the requesting user. |
Access to the API is granted to developers with the
self-provisioner
role and the self-provisioners
cluster role binding. This role is available
to all authenticated developers by default.
You can prevent an authenticated user group from self-provisioning new projects.
Log in as a user with cluster-admin privileges.
Review the self-provisioners
clusterrolebinding usage.
Run the following command, then review the subjects in the self-provisioners
section.
$ oc describe clusterrolebinding.rbac self-provisioners
Name: self-provisioners
Labels: <none>
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
Role:
Kind: ClusterRole
Name: self-provisioner
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:authenticated:oauth
Remove the self-provisioner
cluster role from the group system:authenticated:oauth
.
If the self-provisioners
cluster role binding binds only the
self-provisioner
role to the system:authenticated:oauth
group, run the
following command:
$ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
If the self-provisioners
clusterrolebinding binds the self-provisioner
role to more users, groups, or serviceaccounts than the
system:authenticated:oauth
group, run the following command:
$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
Set the projectRequestMessage
parameter value in the
master-config.yaml file to instruct developers how to request a new
project. This parameter value is a string that will be presented to a user in
the web console and command line when the user attempts to self-provision a project.
You might use one of the following messages:
To request a project, contact your system administrator at
projectname@example.com
.
To request a new project, fill out the project request form located at
https://internal.example.com/openshift-project-request
.
...
projectConfig:
ProjectRequestMessage: "message"
...
Edit the self-provisioners
cluster role binding to prevent automatic updates
to the role. Automatic updates reset the cluster roles to the default state.
To update the role binding from the command line:
Run the following command:
$ oc edit clusterrolebinding.rbac self-provisioners
In the displayed role binding, set the rbac.authorization.kubernetes.io/autoupdate
parameter
value to false
, as shown in the following example:
apiVersion: authorization.openshift.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "false"
...
To update the role binding by using a single command:
$ oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'
Node selectors are used in conjunction with labeled nodes to control pod placement.
Labels can be assigned during cluster installation, or added to a node after installation. |
As a cluster administrator, you can set the cluster-wide default node selector to restrict pod placement to specific nodes.
Edit the master configuration file at /etc/origin/master/master-config.yaml
and add a value for a default node selector. This is applied to the pods created
in all projects without a specified nodeSelector
value:
... projectConfig: defaultNodeSelector: "type=user-node,region=east" ...
Restart the OpenShift service for the changes to take effect:
# master-restart api
# master-restart controllers
To create an individual project with a node selector, use the --node-selector
option when creating a project. For example, if you have an OKD
topology with multiple regions, you can use a node selector to restrict specific
OKD projects to only deploy pods onto nodes in a specific region.
The following creates a new project named myproject
and dictates that pods be
deployed onto nodes labeled user-node
and east
:
$ oc adm new-project myproject \
--node-selector='type=user-node,region=east'
Once this command is run, this becomes the administrator-set node selector for all pods contained in the specified project.
While the |
Using the oc adm new-project
command adds an annotation
section to the
project. You can edit a project, and change the openshift.io/node-selector
value to override the default:
... metadata: annotations: openshift.io/node-selector: type=user-node,region=east ...
You can also override the default value for an existing project namespace by using the following command:
# oc patch namespace myproject -p \
'{"metadata":{"annotations":{"openshift.io/node-selector":"node-role.kubernetes.io/infra=true"}}}'
If openshift.io/node-selector
is set to an empty string (oc adm new-project
--node-selector=""
), the project will not have an administrator-set node
selector, even if the cluster-wide default has been set. This means that, as a
cluster administrator, you can set a default to restrict developer projects to a
subset of nodes and still enable infrastructure or other projects to schedule
the entire cluster.
OKD developers can set a node selector on their pod configuration if they wish to restrict nodes even further. This will be in addition to the project node selector, meaning that you can still dictate node selector values for all projects that have a node selector value.
For example, if a project has been created with the above annotation
(openshift.io/node-selector: type=user-node,region=east
) and a developer sets
another node selector on a pod in that project, for example
clearance=classified
, the pod will only ever be scheduled on nodes that have
all three labels (type=user-node
, region=east
, and clearance=classified
).
If they set region=west
on a pod, their pods would be demanding nodes with
labels region=east
and region=west
, which cannot work. The pods will never
be scheduled, because labels can only be set to one value.
The number of self-provisioned projects requested by a given user can be limited
with the ProjectRequestLimit
admission
control plug-in.
If your project request template was created in OKD 3.1 or earlier
using the process described in
Modifying the Template for New
Projects, then the generated template does not include the annotation
|
In order to specify limits for users, a configuration must be specified for the plug-in within the master configuration file at /etc/origin/master/master-config.yaml. The plug-in configuration takes a list of user label selectors and the associated maximum project requests.
Selectors are evaluated in order. The first one matching the current user will be used to determine the maximum number of projects. If a selector is not specified, a limit applies to all users. If a maximum number of projects is not specified, then an unlimited number of projects are allowed for a specific selector.
The following configuration sets a global limit of 2 projects per user while allowing 10
projects for users with a label of level=advanced
and unlimited projects for
users with a label of level=admin
.
admissionConfig:
pluginConfig:
ProjectRequestLimit:
configuration:
apiVersion: v1
kind: ProjectRequestLimitConfig
limits:
- selector:
level: admin (1)
- selector:
level: advanced (2)
maxProjects: 10
- maxProjects: 2 (3)
1 | For selector level=admin , no maxProjects is specified. This means that users
with this label will not have a maximum of project requests. |
2 | For selector level=advanced , a maximum number of 10 projects will be allowed. |
3 | For the third entry, no selector is specified. This means that it will be applied to any user that doesn’t satisfy the previous two rules. Because rules are evaluated in order, this rule should be specified last. |
Managing User and Group Labels provides further guidance on how to add, remove, or show labels for users and groups. |
Once your changes are made, restart OKD for the changes to take effect.
# master-restart api
# master-restart controllers
By default, service accounts cannot create projects. However, administrators can
enable this capability per service account, and the number of self-provisioned
projects requested by any given service account can be limited with the
ProjectRequestLimit
admission control plug-in.
If service accounts are allowed to create projects, you cannot trust any labels placed on them because project editors can manipulate those labels. |
Create a service account in the project, if it is does not exist:
$ oc create sa <sa_name>
As a user with cluster-admin
privileges, add the self-provisioner
cluster
role to the service account:
$ oc adm policy \
add-cluster-role-to-user self-provisioner \
system:serviceaccount:<project>:<sa_name>
Edit the master configuration file at
/etc/origin/master/master-config.yaml and set the
maxProjectsForserviceAccounts
parameter value in the ProjectRequestLimit
section to the maximum number of projects any given self-provisioner-enabled
service account can create.
For example, the following configuration sets a global limit of three projects per service account:
admissionConfig:
pluginConfig:
ProjectRequestLimit:
configuration:
apiVersion: v1
kind: ProjectRequestLimitConfig
maxProjectsForserviceAccounts: 3
After you save the changes, restart OKD for the changes to take effect:
# master-restart api
# master-restart controllers
Verify that your changes have been applied by logging in as the service account and creating a new project.
Log in as the service account by using its token:
$ oc login --token <token>
Create a new project:
$ oc new-project <project_name>