Default project templates
The following project templates are included in the Deckhouse Kubernetes Platform:
default
— a template that covers basic project use cases:- resource limitation;
- network isolation;
- automatic alerts and log collection;
- choice of security profile;
- project administrators setup.
secure
— includes all the capabilities of thedefault
template and additional features:- setting up permissible UID/GID for the project;
- audit rules for project users’ access to the Linux kernel;
- scanning of launched container images for CVE presence.
secure-with-dedicated-nodes
— includes all the capabilities of thesecure
template and additional features:- defining the node selector for all the pods in the project: if a pod is created, the node selector pod will be substituted with the project’s node selector automatically;
- defining the default toleration for all the pods in the project: if a pod is created, the default toleration will be added to the pod automatically.
To list all available parameters for a project template, execute the command:
kubectl get projecttemplates <PROJECT_TEMPLATE_NAME> -o jsonpath='{.spec.parametersSchema.openAPIV3Schema}' | jq
Creating a project
- To create a project, create the Project resource by specifying the name of the project template in .spec.projectTemplateName field.
-
In the .spec.parameters field of the
Project
resource, specify the parameter values suitable for theProjectTemplate
.spec.parametersSchema.openAPIV3Schema.Example of creating a project using the Project resource from the
default
ProjectTemplate:apiVersion: deckhouse.io/v1alpha2 kind: Project metadata: name: my-project spec: description: This is an example from the Deckhouse documentation. projectTemplateName: default parameters: resourceQuota: requests: cpu: 5 memory: 5Gi storage: 1Gi limits: cpu: 5 memory: 5Gi networkPolicy: Isolated podSecurityProfile: Restricted extendedMonitoringEnabled: true administrators: - subject: Group name: k8s-admins
-
To check the status of the project, execute the command:
kubectl get projects my-project
A successfully created project should be in the
Sync
state. If the state equalsError
, add the-o yaml
argument to the command (e.g.,kubectl get projects my-project -o yaml
) to get more detailed information about the error.
Creating your own project template
Default templates cover basic project use cases and serve as a good example of template capabilities.
To create your own template:
- Take one of the default templates as a basis, for example,
default
. -
Copy it to a separate file, for example,
my-project-template.yaml
using the command:kubectl get projecttemplates default -o yaml > my-project-template.yaml
-
Edit the
my-project-template.yaml
file, make the necessary changes.It is necessary to change not only the template, but also the scheme of input parameters for it.
Project templates support all Helm templating functions.
- Change the template name in the
.metadata.name
field. -
Apply your new template with the command:
kubectl apply -f my-project-template.yaml
-
Check the availability of the new template with the command:
kubectl get projecttemplates <NEW_TEMPLATE_NAME>