Configuring default Project creation in Openshift

In this blog we will have a look at “Configuring project creation” in an Openshift cluster. We will:

  • Create a Project Template
  • Add resources like a limit-range to the template
  • Disable project self-provisioning

As always. We will be doing all the examples in a CRC (Code Ready Containers) environment.

Project template

When creating a new project in Openshift (a namespace) the API query’s the default template that is in use by the cluster. We can however change this to better suit our needs. By creating a project template and adding resources to it we can setup new Projects to be in line with our workflow and we can apply limits on creation.

Creating a template

Templates are stored in the namespace openshift-config as template.template.openshift.io objects. To create a new template we can use the special oc adm command:

$ oc adm create-bootstrap-project-template -o yaml > our-template.yaml

This template will include some basic things like:

  • Creating a admin role-binding to the user that creates the project
  • Setting up parameters like PROJECT_REQUESTING_USER

Customizing our template

Adding custom object is done by adding to the -objects array. Here we can add object’s like LimitRange, Quota and other Openshift resources.

Tip: When adding to the template validate the object’s first by creating them. Otherwise you might get syntax error’s when creating new projects

Let’s change a few things in our template:

# our-template.yam
apiVersion: template.openshift.io/v1
kind: Template
metadata:
  creationTimestamp: null
  name: our-template
objects:
- apiVersion: v1
  kind: LimitRange
  metadata:
    name: "${PROJECT_NAME}-resource-limits"
  spec:
    limits:
      - type: Container
        default:
          cpu: 50m
- apiVersion: project.openshift.io/v1
  kind: Project
  metadata:
    annotations:
      openshift.io/description: ${PROJECT_DESCRIPTION}
      openshift.io/display-name: ${PROJECT_DISPLAYNAME}
      openshift.io/requester: ${PROJECT_REQUESTING_USER}
    creationTimestamp: null
    name: ${PROJECT_NAME}-from-template
  spec: {}
  status: {}
parameters:
- name: PROJECT_NAME
- name: PROJECT_DISPLAYNAME
- name: PROJECT_DESCRIPTION
- name: PROJECT_ADMIN_USER
- name: PROJECT_REQUESTING_USER

In this yaml we have:

  • added to the project name -from-template. Every new project that is created will now be called PROJECT-from-template
  • Added a LimitRange with the name ${PROJECT_NAME}-resource-limits to all new projects that sets a default cpu limit of 50m
  • Removed the default admin role binding

Applying our custom template

Remember to create the template in openshift-config:

$ oc apply -f our-template.yaml -n openshift-config
template.template.openshift.io/our-template created 

To make this template the default we need to add it at the end of project.config.openshift.io/cluster:

$ oc edit project.config.openshift.io/cluster 

Change the last line from:

spec: {}

To:

spec:
  projectRequestTemplate:
    name: our-template

Now we can check out our template:

$ oc get templates.template.openshift.io -n openshift-config
NAME           DESCRIPTION   PARAMETERS    OBJECTS
our-template                 5 (5 blank)   2

No we need to wait a bit for the cluster to pick up the change. You can monitor this by checking the api pods:

$ oc get pods -n openshift-apiserver
AME                        READY   STATUS        RESTARTS   AGE
apiserver-b47db7bc4-x79sm   0/2     Pending       0          41s
apiserver-ccc6bf7b5-gbbq2   2/2     Terminating   0          125m

Once the new pods are up and running we can test out our new template.

Creating a new project with our template

Ok check, new config is online? Let’s create a project:

$ oc new-project template-test-project
Now using project "template-test-project-from-template" on server "https://api.crc.testing:6443".
$ oc get limitrange
NAME                                    CREATED AT
template-test-project-resource-limits   2022-02-27T19:38:12Z

Disabling project self-provisioning

Letting users create new projects is a main principle of the DevOps setup of any cluster. There might however be situations where you don’t want users to create their own projects. You could enforce project creation with a GitOps pipeline and ensure that no rouge projects are created from the CLI or web-interface.

Patching the self-provisioner role

By default all authenticated uses are able to create new projects. To disable this we can patch this binding with:

$ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'

After this, users can no longer create projects:

$ oc new-project test-project
Error from server (Forbidden): You may not request a new project via this API.

Auto update: This patching will work until the cluster is updated. To make this permanent follow the instructions in the RedHat Openshift documentation

Creating a provisioning role

In certain scenarios you might still want some users to create projects. All users with the clusterolebinding cluster-admin can still create projects. For users with less privileges we will create a group ProjectCreators:

$ oc adm groups new ProjectCreators
$ oc adm policy add-cluster-role-to-group self-provisioner ProjectCreators
$ oc adm groups add-users ProjectCreators Jim

Now all members of the group can create projects.

Wrapping up

This was a really simple demo of changing the default project template to something that fits our needs better.

I hope this post has helped you. Check out my other EX280 related content on my EX280 page


Found this useful? Consider sponsoring me or buying me a cup of coffee at KoFi