The multitenancy-manager module: usage examples

Default project templates

The following project templates are included in the Deckhouse Kubernetes Platform:

• default — a template that covers basic project use cases:
  • resource limitation;
  • network isolation;
  • automatic alerts and log collection;
  • choice of security profile;
  • project administrators setup.

  Template description on GitHub.

• secure — includes all the capabilities of the default template and additional features:
  • setting up permissible UID/GID for the project;
  • audit rules for project users’ access to the Linux kernel;
  • scanning of launched container images for CVE presence.

  Template description on GitHub.

• secure-with-dedicated-nodes — includes all the capabilities of the secure template and additional features:
  • defining the node selector for all the pods in the project: if a pod is created, the node selector pod will be substituted with the project’s node selector automatically;
  • defining the default toleration for all the pods in the project: if a pod is created, the default toleration will be added to the pod automatically.

  Template description on GitHub.

To list all available parameters for a project template, execute the command:

kubectl get projecttemplates <PROJECT_TEMPLATE_NAME> -o jsonpath='{.spec.parametersSchema.openAPIV3Schema}' | jq

Creating a project

1. To create a project, create the Project resource by specifying the name of the project template in .spec.projectTemplateName field.

2. In the .spec.parameters field of the Project resource, specify the parameter values suitable for the ProjectTemplate .spec.parametersSchema.openAPIV3Schema.

   Example of creating a project using the Project resource from the default ProjectTemplate:

   apiVersion: deckhouse.io/v1alpha2
   kind: Project
   metadata:
     name: my-project
   spec:
     description: This is an example from the Deckhouse documentation.
     projectTemplateName: default
     parameters:
       resourceQuota:
         requests:
           cpu: 5
           memory: 5Gi
           storage: 1Gi
         limits:
           cpu: 5
           memory: 5Gi
       networkPolicy: Isolated
       podSecurityProfile: Restricted
       extendedMonitoringEnabled: true
       administrators:
       - subject: Group
         name: k8s-admins
   

3. To check the status of the project, execute the command:

   kubectl get projects my-project
   

   A successfully created project should be in the Deployed state. If the state equals Error, add the -o yaml argument to the command (e.g., kubectl get projects my-project -o yaml) to get more detailed information about the error.

Creating a project automatically for a namespace

You can create a new project for a namespace. To do this, add the projects.deckhouse.io/adopt annotation to the namespace. For example:

1. Create a new namespace:

   kubectl create ns test
   

2. Add the annotation:

   kubectl annotate ns test projects.deckhouse.io/adopt=""
   

3. Make sure that the project was created:

   kubectl get projects
   

   A new project corresponding to the namespace will appear in the project list:

   NAME        STATE      PROJECT TEMPLATE   DESCRIPTION                                            AGE
   deckhouse   Deployed   virtual            This is a virtual project                              181d
   default     Deployed   virtual            This is a virtual project                              181d
   test        Deployed   empty                                                                     1m
   

You can change the template of the created project to the existing one.

{% alert level=”warning” %} Note that changing the template may cause a resource conflict. If the template chart contains resources that are already present in the namespace, you will not be able to apply the template. {% endalert %}

Creating your own project template

Default templates cover basic project use cases and serve as a good example of template capabilities.

To create your own template:

1. Take one of the default templates as a basis, for example, default.

2. Copy it to a separate file, for example, my-project-template.yaml using the command:

   kubectl get projecttemplates default -o yaml > my-project-template.yaml
   

3. Edit the my-project-template.yaml file, make the necessary changes.

   It is necessary to change not only the template, but also the scheme of input parameters for it.

   Project templates support all Helm templating functions.

4. Change the template name in the .metadata.name field.

5. Apply your new template with the command:

   kubectl apply -f my-project-template.yaml
   

6. Check the availability of the new template with the command:

   kubectl get projecttemplates <NEW_TEMPLATE_NAME>