Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.
Follow this guide to create an Azure Red Hat OpenShift 4 cluster. If you have specific questions, please contact us
Interaction with Azure Red Hat OpenShift is associated with a user. An Azure Red Hat OpenShift user object represents an actor which may be granted permissions in the system by
Several types of users can exist:
Regular users |
This is the way most interactive Azure Red Hat OpenShift users will be
represented. Regular users are created automatically in the system upon
first login, or can be created via the API. Regular users are represented
with the |
System users |
Many of these are created automatically when the infrastructure
is defined, mainly for the purpose of enabling the infrastructure to
interact with the API securely. They include a cluster administrator
(with access to everything), a per-node user, users for use by routers
and registries, and various others. Finally, there is an |
Service accounts |
These are special system users associated with projects; some are created automatically when
the project is first created, while project administrators can create more
for the purpose of defining access to the contents of each project.
Service accounts are represented with the |
Every user must authenticate in some way in order to access Azure Red Hat OpenShift.
API requests with no authentication or invalid authentication are authenticated as requests by the anonymous
system user.
Once authenticated, policy determines what the user is authorized to do.
A Kubernetes namespace provides a mechanism to scope resources in a cluster. In Azure Red Hat OpenShift, a project is a Kubernetes namespace with additional annotations.
Namespaces provide a unique scope for:
Named resources to avoid basic naming collisions.
Delegated management authority to trusted users.
The ability to limit community resource consumption.
Most objects in the system are scoped by namespace, but some are excepted and have no namespace, including nodes and users.
The Kubernetes documentation has more information on namespaces.
A project is a Kubernetes namespace with additional annotations, and is the central vehicle by which access to resources for regular users is managed. A project allows a community of users to organize and manage their content in isolation from other communities. Users must be given access to projects by administrators, or if allowed to create projects, automatically have access to their own projects.
Projects can have a separate name
, displayName
, and description
.
The mandatory name
is a unique identifier for the project and is most visible when using the CLI tools or API. The maximum name length is 63 characters.
The optional displayName
is how the project is displayed in the web console (defaults to name
).
The optional description
can be a more detailed description of the project and is also visible in the web console.
Each project scopes its own set of:
Objects |
Pods, services, replication controllers, etc. |
Policies |
Rules for which users can or cannot perform actions on objects. |
Constraints |
Quotas for each kind of object that can be limited. |
Service accounts |
Service accounts act automatically with designated access to objects in the project. |
Azure Red Hat OpenShift is a managed Service. The cluster administrator role is not available to customers. The customer administrator role is delegated to the customer for cluster-management operations.
The administrator can create and manage projects. They can also delegate administrative rights.
Developers can create their own projects.
Developers and administrators can interact with projects using the CLI or the web console.
Azure Red Hat OpenShift comes with a number of projects out of the box, and projects
starting with openshift-
are the most essential to users.
These projects host master components that run as pods and other infrastructure
components. The pods created in these namespaces that have a
critical pod annotation
are considered critical, and they have guaranteed admission by kubelet.
Pods created for master components in these namespaces are already marked as
critical.