Configuring default Project creation in Openshift
Feb 27, 2022
In this blog we will have a look at “Configuring project creation” in an Openshift
cluster. We will:
Create a Project Template
Add resources like a limit-range to the template
Disable project self-provisioning
As always. We will be doing all the examples in a CRC (Code Ready Containers)
environment.
Project template
When creating a new project in Openshift (a namespace) the API query’s the default
template that is in use by the cluster. We can however change this to better suit
our needs. By creating a project template and adding resources to it we can setup
new Projects to be in line with our workflow and we can apply limits on creation.
Creating a template
Templates are stored in the namespace openshift-config as
template.template.openshift.io objects. To create a new template we can use the
special oc adm command:
$ oc adm create-bootstrap-project-template -o yaml > our-template.yaml
This template will include some basic things like:
Creating a admin role-binding to the user that creates the project
Setting up parameters like PROJECT_REQUESTING_USER
Customizing our template
Adding custom object is done by adding to the -objects array. Here we can add
object’s like LimitRange, Quota and other Openshift resources.
Tip: When adding to the template validate the object’s first by creating them.
Otherwise you might get syntax error’s when creating new projects
Let’s change a few things in our template:
# our-template.yam
apiVersion: template.openshift.io/v1
kind: Template
metadata:
creationTimestamp: null
name: our-template
objects:
- apiVersion: v1
kind: LimitRange
metadata:
name: "${PROJECT_NAME}-resource-limits"
spec:
limits:
- type: Container
default:
cpu: 50m
- apiVersion: project.openshift.io/v1
kind: Project
metadata:
annotations:
openshift.io/description: ${PROJECT_DESCRIPTION}
openshift.io/display-name: ${PROJECT_DISPLAYNAME}
openshift.io/requester: ${PROJECT_REQUESTING_USER}
� creationTimestamp: null
name: ${PROJECT_NAME}-from-template
spec: {}
status: {}
parameters:
- name: PROJECT_NAME
- name: PROJECT_DISPLAYNAME
- name: PROJECT_DESCRIPTION
- name: PROJECT_ADMIN_USER
- name: PROJECT_REQUESTING_USER
In this yaml we have:
added to the project name -from-template. Every new project that is created will
now be called PROJECT-from-template
Added a LimitRange with the name ${PROJECT_NAME}-resource-limits to all new
projects that sets a default cpu limit of 50m
Removed the default admin role binding
Applying our custom template
Remember to create the template in openshift-config:
$ oc apply -f our-template.yaml -n openshift-config
template.template.openshift.io/our-template created
To make this template the default we need to add it at the end of
project.config.openshift.io/cluster:
$ oc edit project.config.openshift.io/cluster
Change the last line from:
spec: {}
To:
spec:
projectRequestTemplate:
name: our-template
Now we can check out our template:
$ oc get templates.template.openshift.io -n openshift-config
NAME DESCRIPTION PARAMETERS OBJECTS
our-template 5 (5 blank) 2
No we need to wait a bit for the cluster to pick up the change. You can monitor
this by checking the api pods:
$ oc get pods -n openshift-apiserver
AME READY STATUS RESTARTS AGE
apiserver-b47db7bc4-x79sm 0/2 Pending 0 41s
apiserver-ccc6bf7b5-gbbq2 2/2 Terminating 0 125m
Once the new pods are up and running we can test out our new template.
Creating a new project with our template
Ok check, new config is online? Let’s create a project:
$ oc new-project template-test-project
Now using project "template-test-project-from-template" on server
"https://api.crc.testing:6443".
$ oc get limitrange
NAME CREATED AT
template-test-project-resource-limits 2022-02-27T19:38:12Z
Disabling project self-provisioning
Letting users create new projects is a main principle of the DevOps setup of any
�cluster. There might however be situations where you don’t want users to create
their own projects. You could enforce project creation with a GitOps pipeline and
ensure that no rouge projects are created from the CLI or web-interface.
Patching the self-provisioner role
By default all authenticated uses are able to create new projects. To disable this
we can patch this binding with:
$ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
After this, users can no longer create projects:
$ oc new-project test-project
Error from server (Forbidden): You may not request a new project via this API.
Auto update: This patching will work until the cluster is updated. To make this
permanent follow the instructions in the RedHat Openshift documentation
Creating a provisioning role
In certain scenarios you might still want some users to create projects. All users
with the clusterolebinding cluster-admin can still create projects. For users with
less privileges we will create a group ProjectCreators:
$ oc adm groups new ProjectCreators
$ oc adm policy add-cluster-role-to-group self-provisioner ProjectCreators
$ oc adm groups add-users ProjectCreators Jim
Now all members of the group can create projects.
Wrapping up
This was a really simple demo of changing the default project template to something
that fits our needs better.
I hope this post has helped you. Check out my other EX280 related content on my
EX280 page
