$ oc edit template project-request -n dedicated-admin
×
Managing Projects
Overview
In OpenShift Dedicated, projects are used to group and isolate related objects. As an administrator, you can give developers access to certain projects, allow them to create their own, and give them administrative rights within individual projects.
A dedicated administrator is by default an administrator for all projects on the cluster that are not managed by Red Hat Operations.
Self-provisioning Projects
You can allow developers to create their own projects. There is an endpoint
that will provision a project according to a
template. The web console and oc new-project
command use this endpoint when a developer creates a new project.
Modifying the Template for New Projects
The API server automatically provisions projects based on the template that is
identified by the projectRequestTemplate parameter of the
master-config.yaml file
If the parameter is not defined, the API server creates a default template that
creates a project with the requested name, and assigns the requesting user to
the "admin" role for that project.
Edit the default project template with the following command:
If you modify the default project template and want your changes to remain after
you upgrade, you must update the openshift.io/overwrite-protect annotation value
to true.
$ oc annotate template project-request -n dedicated-admin openshift.io/overwrite-protect=trueThe default value is false, so by default your changes are not protected
against overwrite. You only need to update the value if you make changes to the
project template.
Setting the value to true results in the upgrade skipping the template and not
updating it. Therefore, you must check that newer versions of OpenShift Dedicated
provide anything of interest that they would need to incorporate.
When a project request is submitted, the API substitutes the following parameters into the template:
| Parameter | Description |
|---|---|
PROJECT_NAME |
The name of the project. Required. |
PROJECT_DISPLAYNAME |
The display name of the project. May be empty. |
PROJECT_DESCRIPTION |
The description of the project. May be empty. |
PROJECT_ADMIN_USER |
The username of the administrating user. |
PROJECT_REQUESTING_USER |
The username of the requesting user. |
Access to the API is granted to developers with the
self-provisioner
role and the self-provisioners cluster role binding. This role is available
to all authenticated developers by default.
Disabling Self-provisioning
Dedicated admins can prevent an authenticated user group from self-provisioning new projects.
To remove the self-provisioner clusterrole from all authenticated
users, the system:authenticated:oauth group, run the following command:
$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauthEnforcing Different Project Limits for Users
If you are an OpenShift Dedicated administrator and want to enforce different limits on the number of projects that your users can create, apply the appropriate label to the user.
Acceptable Values for Project Limit
openshift.io/project-limit: '0' openshift.io/project-limit: '1' openshift.io/project-limit: '3' openshift.io/project-limit: '5' openshift.io/project-limit: '10' openshift.io/project-limit: '20' openshift.io/project-limit: '50' openshift.io/project-limit: '100' openshift.io/project-limit: 'unlimited'
The default limit is unlimited.
Managing Limits and Quota on Project Resources
Edit the project template as defined above to have default limits and quotas applied to all newly created projects.
See Setting Quotas and Setting Limit Ranges for more information.