Deckhouse Kubernetes Platform includes a set of templates for creating projects:
defaultis a template for basic project use cases:- resource limits
- network isolation
- automatic alerts and log collection
- selecting a security profile
- configuring project administrators
secureincludes all capabilities of thedefaulttemplate and adds:- configuring allowed UID/GID ranges for the project
- audit rules for Linux users’ interactions with the kernel
- scanning container images at runtime for known vulnerabilities (CVEs)
secure-with-dedicated-nodesincludes all capabilities of thesecuretemplate and adds:- defining a node selector for all pods in the project: when a pod is created, its node selector is automatically replaced with the project’s node selector
- defining default tolerations for all pods in the project: when a pod is created, the default tolerations are automatically added to it
To list all available parameters for a project template, run:
d8 k get projecttemplates <PROJECT_TEMPLATE_NAME> -o jsonpath='{.spec.parametersSchema.openAPIV3Schema}' | jq
Project creation
- To create a project, create a custom resource Project with the project template name specified in the .spec.projectTemplateName field.
-
In the .spec.parameters parameter, specify the values for the .spec.parametersSchema.openAPIV3Schema section of the custom resource ProjectTemplate.
An example of creating a project using Project from the
defaultProjectTemplate is shown below:apiVersion: deckhouse.io/v1alpha2 kind: Project metadata: name: my-project spec: description: This is an example from the Deckhouse documentation. projectTemplateName: default parameters: resourceQuota: requests: cpu: 5 memory: 5Gi storage: 1Gi limits: cpu: 5 memory: 5Gi networkPolicy: Isolated podSecurityProfile: Restricted extendedMonitoringEnabled: true administrators: - subject: Group name: k8s-admins -
To check the project status, run the following command:
d8 k get projects my-projectA successfully created project should have the
Deployed(synced) status. If the status isError, add the-o yamlflag to the command (for example,d8 k get projects my-project -o yaml) to get more details about the error cause.
Automatic project creation for a namespace
You can create a new project for an existing namespace. To do this, add the projects.deckhouse.io/adopt annotation to the namespace. For example:
-
Create a new namespace:
d8 k create ns test -
Annotate it with the following command:
d8 k annotate ns test projects.deckhouse.io/adopt="" -
Make sure the project has been created:
d8 k get projectsA new project matching the namespace will appear in the list of projects:
NAME STATE PROJECT TEMPLATE DESCRIPTION AGE deckhouse Deployed virtual This is a virtual project 181d default Deployed virtual This is a virtual project 181d test Deployed empty 1m
You can change the template of an existing project to another available template.
Note that changing the template may cause resource conflicts: if the template chart defines resources that already exist in the namespace, the template cannot be applied.
Creating a custom project template
The default project templates cover common baseline scenarios and also serve as examples of what templates can do.
To create your own template:
- Use one of the default templates as a starting point, for example,
default. -
Export it to a separate file, for example,
my-project-template.yaml, using the following command:d8 k get projecttemplates default -o -
Edit the
my-project-template.yamlfile and apply the required changes.You must update not only the template itself, but also the input parameters schema to match it.
Project templates support all Helm templating functions.
-
Change the template name in the
.metadata.namefield. -
Apply the resulting template with the following command:
d8 k apply -f my-project-template.yaml -
Check that the new template is available by running:
d8 k get projecttemplates <NEW_TEMPLATE_NAME>