Projects

Creating a Project

Project resources may only be created on the management cluster. See below for creating namespaces under projects in a managed cluster.

Creating a Basic Project

  1. kubectl create -f - <<EOF
  2. apiVersion: management.cattle.io/v3
  3. kind: Project
  4. metadata:
  5. generateName: p-
  6. namespace: c-m-abcde
  7. spec:
  8. clusterName: c-m-abcde
  9. displayName: myproject
  10. EOF

Use metadata.generateName to ensure a unique project ID, but note that kubectl apply does not work with metadata.generateName, so kubectl create must be used instead.

Set metadata.namespace and spec.clusterName to the ID for the cluster the project belongs to.

If you create a project through a cluster member account, you must include the annotation, field.cattle.io/creatorId, and set it to the cluster member account’s user ID.

  1. kubectl create -f - <<EOF
  2. apiVersion: management.cattle.io/v3
  3. kind: Project
  4. metadata:
  5. annotations:
  6. field.cattle.io/creatorId:
  7. user-id
  8. generateName: p-
  9. namespace: c-m-abcde
  10. spec:
  11. clusterName: c-m-abcde
  12. displayName: myproject
  13. EOF

Setting the field.cattle.io/creatorId field allows the cluster member account to see project resources with the get command and view the project in the Rancher UI. Cluster owner and admin accounts don’t need to set this annotation to perform these tasks.

Setting the field.cattle.io/creator-principal-name annotation to the user’s principal preserves it in a projectroletemplatebinding automatically created for the project owner.

If you don’t want the creator to be added as the owner member (e.g. if the creator is a cluster administrator) to the project you may set the field.cattle.io/no-creator-rbac annotation to true, which will prevent the corresponding projectroletemplatebinding from being created.

Creating a Project With a Resource Quota

Refer to Kubernetes Resource Quota.

  1. kubectl create -f - <<EOF
  2. apiVersion: management.cattle.io/v3
  3. kind: Project
  4. metadata:
  5. generateName: p-
  6. namespace: c-m-abcde
  7. spec:
  8. clusterName: c-m-abcde
  9. displayName: myproject
  10. resourceQuota:
  11. limit:
  12. limitsCpu: 1000m
  13. namespaceDefaultResourceQuota:
  14. limit:
  15. limitsCpu: 50m
  16. EOF

Creating a Project With Container Limit Ranges

Refer to Kubernetes Limit Ranges.

  1. kubectl create -f - <<EOF
  2. apiVersion: management.cattle.io/v3
  3. kind: Project
  4. metadata:
  5. generateName: p-
  6. namespace: c-m-abcde
  7. spec:
  8. clusterName: c-m-abcde
  9. displayName: myproject
  10. containerDefaultResourceLimit:
  11. limitsCpu: 100m
  12. limitsMemory: 100Mi
  13. requestsCpu: 50m
  14. requestsMemory: 50Mi
  15. EOF

Adding a Member to a Project

Look up the project ID to specify the metadata.namespace field and projectName field values.

  1. kubectl --namespace c-m-abcde get projects

Look up the role template ID to specify the roleTemplateName field value (e.g. project-member or project-owner).

  1. kubectl get roletemplates

When adding a user member specify the userPrincipalName field:

  1. kubectl create -f - <<EOF
  2. apiVersion: management.cattle.io/v3
  3. kind: ProjectRoleTemplateBinding
  4. metadata:
  5. generateName: prtb-
  6. namespace: p-vwxyz
  7. projectName: c-m-abcde:p-vwxyz
  8. roleTemplateName: project-member
  9. userPrincipalName: keycloak_user://user
  10. EOF

When adding a group member specify the groupPrincipalName field instead:

  1. kubectl create -f - <<EOF
  2. apiVersion: management.cattle.io/v3
  3. kind: ProjectRoleTemplateBinding
  4. metadata:
  5. generateName: prtb-
  6. namespace: p-vwxyz
  7. projectName: c-m-abcde:p-vwxyz
  8. roleTemplateName: project-member
  9. groupPrincipalName: keycloak_group://group
  10. EOF

Create a projectroletemplatebinding for each role you want to assign to the project member.

Listing Project Members

Look up the project ID:

  1. kubectl --namespace c-m-abcde get projects

to list projectroletemplatebindings in the project’s namespace:

  1. kubectl --namespace p-vwxyz get projectroletemplatebindings

Deleting a Member From a Project

Lookup the projectroletemplatebinding IDs containing the member in the project’s namespace as decribed in the Listing Project Members section.

Delete the projectroletemplatebinding from the project’s namespace:

  1. kubectl --namespace p-vwxyz delete projectroletemplatebindings prtb-qx874 prtb-7zw7s

Creating a Namespace in a Project

The Project resource resides in the management cluster, even if the Project is for a managed cluster. The namespaces under the project reside in the managed cluster.

On the management cluster, look up the project ID for the cluster you are administrating since it generated using metadata.generateName:

  1. kubectl --namespace c-m-abcde get projects

On the managed cluster, create a namespace with a project annotation:

  1. kubectl apply -f - <<EOF
  2. apiVersion: v1
  3. kind: Namespace
  4. metadata:
  5. name: mynamespace
  6. annotations:
  7. field.cattle.io/projectId: c-m-abcde:p-vwxyz
  8. EOF

Note the format, <cluster ID>:<project ID>.

Deleting a Project

Look up the project to delete in the cluster namespace:

  1. kubectl --namespace c-m-abcde get projects

Delete the project under the cluster namespace:

  1. kubectl --namespace c-m-abcde delete project p-vwxyz

Note that this command doesn’t delete the namespaces and resources that formerly belonged to the project.