$ oc adm create-bootstrap-project-template -o yaml > template.yaml
In Red Hat OpenShift service on AWS, projects are used to group and isolate related objects.
When a request is made to create a new project using the web console or oc
new-project
command, an endpoint in Red Hat OpenShift service on AWS is used to provision the
project according to a template, which can be customized.
As a cluster administrator, you can allow and configure how developers and service accounts can create, or self-provision, their own projects.
The Red Hat OpenShift service on AWS API server automatically provisions new projects based on
the project template that is identified by the projectRequestTemplate
parameter in the cluster’s project configuration resource. If the parameter is
not defined, the API server creates a default template that creates a project
with the requested name, and assigns the requesting user to the admin
role for
that project.
When a project request is submitted, the API substitutes the following parameters into the template:
Parameter | Description |
---|---|
|
The name of the project. Required. |
|
The display name of the project. May be empty. |
|
The description of the project. May be empty. |
|
The user name of the administrating user. |
|
The user name of the requesting user. |
Access to the API is granted to developers with the self-provisioner
role and
the self-provisioners
cluster role binding. This role is available to all
authenticated developers by default.
As a cluster administrator, you can modify the default project template so that new projects are created using your custom requirements.
To create your own custom project template:
You have access to an Red Hat OpenShift service on AWS cluster using an account with dedicated-admin
permissions.
Log in as a user with cluster-admin
privileges.
Generate the default project template:
$ oc adm create-bootstrap-project-template -o yaml > template.yaml
Use a text editor to modify the generated template.yaml
file by adding
objects or modifying existing objects.
The project template must be created in the openshift-config
namespace. Load
your modified template:
$ oc create -f template.yaml -n openshift-config
Edit the project configuration resource using the web console or CLI.
Using the web console:
Navigate to the Administration → Cluster Settings page.
Click Configuration to view all configuration resources.
Find the entry for Project and click Edit YAML.
Using the CLI:
Edit the project.config.openshift.io/cluster
resource:
$ oc edit project.config.openshift.io/cluster
Update the spec
section to include the projectRequestTemplate
and name
parameters, and set the name of your uploaded project template. The default name
is project-request
.
apiVersion: config.openshift.io/v1
kind: Project
metadata:
# ...
spec:
projectRequestTemplate:
name: <template_name>
# ...
After you save your changes, create a new project to verify that your changes were successfully applied.
You can prevent an authenticated user group from self-provisioning new projects.
Log in as a user with cluster-admin
privileges.
View the self-provisioners
cluster role binding usage by running the following command:
$ oc describe clusterrolebinding.rbac self-provisioners
Name: self-provisioners
Labels: <none>
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
Role:
Kind: ClusterRole
Name: self-provisioner
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:authenticated:oauth
Review the subjects in the self-provisioners
section.
Remove the self-provisioner
cluster role from the group system:authenticated:oauth
.
If the self-provisioners
cluster role binding binds only the self-provisioner
role to the system:authenticated:oauth
group, run the following command:
$ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
If the self-provisioners
cluster role binding binds the self-provisioner
role to more users, groups, or service accounts than the system:authenticated:oauth
group, run the following command:
$ oc adm policy \
remove-cluster-role-from-group self-provisioner \
system:authenticated:oauth
Edit the self-provisioners
cluster role binding to prevent automatic updates to the role. Automatic updates reset the cluster roles to the default state.
To update the role binding using the CLI:
Run the following command:
$ oc edit clusterrolebinding.rbac self-provisioners
In the displayed role binding, set the rbac.authorization.kubernetes.io/autoupdate
parameter value to false
, as shown in the following example:
apiVersion: authorization.openshift.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "false"
# ...
To update the role binding by using a single command:
$ oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'
Log in as an authenticated user and verify that it can no longer self-provision a project:
$ oc new-project test
Error from server (Forbidden): You may not request a new project via this API.
Consider customizing this project request message to provide more helpful instructions specific to your organization.
When a developer or a service account that is unable to self-provision projects makes a project creation request using the web console or CLI, the following error message is returned by default:
You may not request a new project via this API.
Cluster administrators can customize this message. Consider updating it to provide further instructions on how to request a new project specific to your organization. For example:
To request a project, contact your system administrator at
projectname@example.com
.
To request a new project, fill out the project request form located at
https://internal.example.com/openshift-project-request
.
To customize the project request message:
Edit the project configuration resource using the web console or CLI.
Using the web console:
Navigate to the Administration → Cluster Settings page.
Click Configuration to view all configuration resources.
Find the entry for Project and click Edit YAML.
Using the CLI:
Log in as a user with cluster-admin
privileges.
Edit the project.config.openshift.io/cluster
resource:
$ oc edit project.config.openshift.io/cluster
Update the spec
section to include the projectRequestMessage
parameter and
set the value to your custom message:
apiVersion: config.openshift.io/v1
kind: Project
metadata:
# ...
spec:
projectRequestMessage: <message_string>
# ...
For example:
apiVersion: config.openshift.io/v1
kind: Project
metadata:
# ...
spec:
projectRequestMessage: To request a project, contact your system administrator at projectname@example.com.
# ...
After you save your changes, attempt to create a new project as a developer or service account that is unable to self-provision projects to verify that your changes were successfully applied.