Configuring project creation

    As a cluster administrator, you can allow and configure how developers and service accounts can create, or self-provision, their own projects.

    The OKD API server automatically provisions new projects based on the project template that is identified by the projectRequestTemplate parameter in the cluster’s project configuration resource. If the parameter is not defined, the API server creates a default template that creates a project with the requested name, and assigns the requesting user to the admin role for that project.

    When a project request is submitted, the API substitutes the following parameters into the template:

    Access to the API is granted to developers with the self-provisioner role and the self-provisioners cluster role binding. This role is available to all authenticated developers by default.

    As a cluster administrator, you can modify the default project template so that new projects are created using your custom requirements.

    To create your own custom project template:

    Procedure

    1. Log in as a user with cluster-admin privileges.

    2. Generate the default project template:

    3. Use a text editor to modify the generated template.yaml file by adding objects or modifying existing objects.

    4. The project template must be created in the openshift-config namespace. Load your modified template:

      1. $ oc create -f template.yaml -n openshift-config
      • Using the web console:

        1. Navigate to the AdministrationCluster Settings page.

        2. Click Global Configuration to view all configuration resources.

        3. Find the entry for Project and click Edit YAML.

      • Using the CLI:

        1. Edit the project.config.openshift.io/cluster resource:

          1. $ oc edit project.config.openshift.io/cluster
    1. Update the spec section to include the projectRequestTemplate and name parameters, and set the name of your uploaded project template. The default name is project-request.

      Project configuration resource with custom project template

      1. apiVersion: config.openshift.io/v1
      2. kind: Project
      3. metadata:
      4. spec:
      5. name: <template_name>
    2. After you save your changes, create a new project to verify that your changes were successfully applied.

    You can prevent an authenticated user group from self-provisioning new projects.

    Procedure

    1. Log in as a user with cluster-admin privileges.

    2. View the self-provisioners cluster role binding usage by running the following command:

      1. $ oc describe clusterrolebinding.rbac self-provisioners

      Example output

      Review the subjects in the self-provisioners section.

    3. Remove the self-provisioner cluster role from the group system:authenticated:oauth.

      • If the self-provisioners cluster role binding binds only the self-provisioner role to the system:authenticated:oauth group, run the following command:

        1. $ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
      • If the self-provisioners cluster role binding binds the self-provisioner role to more users, groups, or service accounts than the system:authenticated:oauth group, run the following command:

        1. $ oc adm policy \
        2. remove-cluster-role-from-group self-provisioner \
        3. system:authenticated:oauth
    4. Edit the self-provisioners cluster role binding to prevent automatic updates to the role. Automatic updates reset the cluster roles to the default state.

      • To update the role binding using the CLI:

        1. Run the following command:

          1. $ oc edit clusterrolebinding.rbac self-provisioners
          1. apiVersion: authorization.openshift.io/v1
          2. kind: ClusterRoleBinding
          3. metadata:
          4. annotations:
          5. rbac.authorization.kubernetes.io/autoupdate: "false"
          6. ...
    5. Log in as an authenticated user and verify that it can no longer self-provision a project:

      1. $ oc new-project test

      Example output

      1. Error from server (Forbidden): You may not request a new project via this API.

      Consider customizing this project request message to provide more helpful instructions specific to your organization.

    When a developer or a service account that is unable to self-provision projects makes a project creation request using the web console or CLI, the following error message is returned by default:

    1. You may not request a new project via this API.

    Cluster administrators can customize this message. Consider updating it to provide further instructions on how to request a new project specific to your organization. For example:

    • To request a project, contact your system administrator at projectname@example.com.

    • To request a new project, fill out the project request form located at https://internal.example.com/openshift-project-request.

    To customize the project request message:

    Procedure

    1. Edit the project configuration resource using the web console or CLI.

      • Using the web console:

        1. Navigate to the AdministrationCluster Settings page.

        2. Click Global Configuration to view all configuration resources.

        3. Find the entry for Project and click Edit YAML.

      • Using the CLI:

        1. Log in as a user with cluster-admin privileges.

        2. Edit the project.config.openshift.io/cluster resource:

          1. $ oc edit project.config.openshift.io/cluster
    1. Update the spec section to include the projectRequestMessage parameter and set the value to your custom message:

      Project configuration resource with custom project request message

      For example:

      1. apiVersion: config.openshift.io/v1
      2. kind: Project
      3. metadata:
      4. ...
      5. spec:
      6. projectRequestMessage: To request a project, contact your system administrator at projectname@example.com.