Overview

In OpenShift Dedicated, projects are used to group and isolate related objects. As an administrator, you can give developers access to certain projects, allow them to create their own, and give them administrative rights within individual projects.

A dedicated administrator is by default an administrator for all projects on the cluster that are not managed by Red Hat Operations.

Self-provisioning Projects

You can allow developers to create their own projects. There is an endpoint that will provision a project according to a template. The web console and oc new-project command use this endpoint when a developer creates a new project.

Modifying the Template for New Projects

The API server automatically provisions projects based on the template that is identified by the projectRequestTemplate parameter of the master-config.yaml file If the parameter is not defined, the API server creates a default template that creates a project with the requested name, and assigns the requesting user to the "admin" role for that project.

Edit the default project template with the following command:

$ oc edit template project-request -n dedicated-admin

If you modify the default project template and want your changes to remain after you upgrade, you must update the openshift.io/overwrite-protect annotation value to true.

$ oc annotate template project-request -n dedicated-admin openshift.io/overwrite-protect=true

The default value is false, so by default your changes are not protected against overwrite. You only need to update the value if you make changes to the project template.

Setting the value to true results in the upgrade skipping the template and not updating it. Therefore, you must check that newer versions of OpenShift Dedicated provide anything of interest that they would need to incorporate.

When a project request is submitted, the API substitutes the following parameters into the template:

Parameter Description

PROJECT_NAME

The name of the project. Required.

PROJECT_DISPLAYNAME

The display name of the project. May be empty.

PROJECT_DESCRIPTION

The description of the project. May be empty.

PROJECT_ADMIN_USER

The username of the administrating user.

PROJECT_REQUESTING_USER

The username of the requesting user.

Access to the API is granted to developers with the self-provisioner role and the self-provisioners cluster role binding. This role is available to all authenticated developers by default.

Disabling Self-provisioning

Dedicated admins can prevent an authenticated user group from self-provisioning new projects.

To remove the self-provisioner clusterrole from all authenticated users, the system:authenticated:oauth group, run the following command:

$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth

Enforcing Different Project Limits for Users

If you are an OpenShift Dedicated administrator and want to enforce different limits on the number of projects that your users can create, apply the appropriate label to the user.

Acceptable Values for Project Limit
openshift.io/project-limit: '0'
openshift.io/project-limit: '1'
openshift.io/project-limit: '3'
openshift.io/project-limit: '5'
openshift.io/project-limit: '10'
openshift.io/project-limit: '20'
openshift.io/project-limit: '50'
openshift.io/project-limit: '100'
openshift.io/project-limit: 'unlimited'

The default limit is unlimited.

Managing Limits and Quota on Project Resources

Edit the project template as defined above to have default limits and quotas applied to all newly created projects.

See Setting Quotas and Setting Limit Ranges for more information.