Overview

In OpenShift Dedicated, projects are used to group and isolate related objects. As an administrator, you can give developers access to certain projects, allow them to create their own, and give them administrative rights within individual projects.

A dedicated administrator is by default an administrator for all projects on the cluster that are not managed by Red Hat Operations.

Self-provisioning Projects

You can allow developers to create their own projects. There is an endpoint that will provision a project according to a template. The web console and oc new-project command use this endpoint when a developer creates a new project.

Modifying the Template for New Projects

The API server automatically provisions projects based on the template that is identified by the projectRequestTemplate parameter of the master-config.yaml file If the parameter is not defined, the API server creates a default template that creates a project with the requested name, and assigns the requesting user to the "admin" role for that project.

To create your own custom project template:

  1. Start with the current default project template:

    $ oc adm create-bootstrap-project-template -o yaml > template.yaml
  2. Use a text editor to modify the template.yaml file by adding objects or modifying existing objects.

  3. Load the template:

    $ oc create -f template.yaml -n default
  4. Modify the master-config.yaml file to reference the loaded template:

    ...
    projectConfig:
      projectRequestTemplate: "default/project-request"
      ...

When a project request is submitted, the API substitutes the following parameters into the template:

Parameter Description

PROJECT_NAME

The name of the project. Required.

PROJECT_DISPLAYNAME

The display name of the project. May be empty.

PROJECT_DESCRIPTION

The description of the project. May be empty.

PROJECT_ADMIN_USER

The username of the administrating user.

PROJECT_REQUESTING_USER

The username of the requesting user.

Access to the API is granted to developers with the self-provisioner role and the self-provisioners cluster role binding. This role is available to all authenticated developers by default.

Enforcing Different Project Limits for Users

If you are an OpenShift Dedicated administrator and want to enforce different limits on the number of projects that your users can create, apply the appropriate label to the user.

Acceptable Values for Project Limit
openshift.io/project-limit: '0'
openshift.io/project-limit: '1'
openshift.io/project-limit: '3'
openshift.io/project-limit: '5'
openshift.io/project-limit: '10'
openshift.io/project-limit: '20'
openshift.io/project-limit: '50'
openshift.io/project-limit: '100'
openshift.io/project-limit: 'unlimited'

The default limit is unlimited.

Managing Limits and Quota on Project Resources

A default project template is available for any projects created by users on the cluster. The template helps prevent inadvertent consumption of all of the cluster and node resources. The project template is created and configured in the dedicated-admin namespace.

Edit the default project template with the following command:

$ oc edit template project-request -n dedicated-admin

If you modify the default project template and want your changes to remain after you upgrade, you must update the openshift.io/overwrite-protect annotation value to true.

$ oc annotate template project-request -n dedicated-admin openshift.io/overwrite-protect=true

The default value is false, so by default your changes are not protected against overwrite. You only need to update the value if you make changes to the project template.

Setting the value to true results in the upgrade skipping the template and not updating it. Therefore, you must check that newer versions of OpenShift Dedicated provide anything of interest that they would need to incorporate.

See Setting Quotas and Setting Limit Ranges for more information.