From 337e1dc51dbc39d5f9ebeafeef926fea00d73868 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 27 Jan 2020 15:26:39 -0700 Subject: [PATCH] Edit project page in cluster admin section --- .../projects-and-namespaces/_index.md | 102 +++++++++--------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md b/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md index fce7c4a8746..56be333e7e0 100644 --- a/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md @@ -27,7 +27,7 @@ This section describes how projects and namespaces work with Rancher. It covers # About Namespaces -A namespace is a concept introduced by Kubernetes. According to the [official Kubernetes documentation,](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) +A namespace is a concept introduced by Kubernetes. According to the [official Kubernetes documentation on namespaces,](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) > Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. [...] Namespaces are intended for use in environments with many users spread across multiple teams, or projects. For clusters with a few to tens of users, you should not need to create or think about namespaces at all. @@ -36,12 +36,6 @@ Namespaces provide the following functionality: - **Providing a scope for names:** Names of resources need to be unique within a namespace, but not across namespaces. Namespaces can not be nested inside one another and each Kubernetes resource can only be in one namespace. - **Resource quotas:** Namespaces provide a way to divide cluster resources between multiple users. -Within Rancher, a project can contain multiple namespaces, making it possible to organize and isolate resources within the project. - -If you don't have a need for more than the default namespace, you also do not need more than the **Default** project in Rancher. - -If you require another level of organization beyond the **Default** project, you can create more projects in Rancher to isolate namespaces, applications and resources. - You can assign resources at the project level so that each namespace in the project can use them. You can also bypass this inheritance by assigning resources explicitly to a namespace. You can assign the following resources directly to namespaces: @@ -57,11 +51,13 @@ You can assign the following resources directly to namespaces: >**Note:** Although you can assign role-based access to namespaces in the base version of Kubernetes, you cannot assign roles to namespaces in Rancher. Instead, assign role-based access at the project level. -For more information, see [Namespaces]({{}}/rancher/v2.x/en/project-admin/namespaces/). +For more information on creating and moving namespaces, see [Namespaces]({{}}/rancher/v2.x/en/project-admin/namespaces/). # About Projects -A project is a group of multiple [namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) and access control policies within a cluster. A project is a concept introduced by Rancher, not Kubernetes, which allows you manage multiple namespaces as a group and perform Kubernetes operations in them. The Rancher UI provides features for [project administration]({{}}/rancher/v2.x/en/project-admin/) and for [managing applications within projects.]({{}}/rancher/v2.x/en/k8s-in-rancher/) +Within Rancher, a project can contain multiple namespaces and access control policies, making it possible to organize and isolate resources within the project. + +A project is a concept introduced by Rancher that allows you manage multiple namespaces as a group and perform Kubernetes operations in them. The Rancher UI provides features for [project administration]({{}}/rancher/v2.x/en/project-admin/) and for [managing applications within projects.]({{}}/rancher/v2.x/en/k8s-in-rancher/) In terms of hierarchy: @@ -88,6 +84,10 @@ When you create a cluster, two projects are automatically created within it: When you provision a cluster with Rancher, it automatically creates a `default` project for the cluster. This is a project you can use to get started with your cluster, but you can always delete it and replace it with projects that have more descriptive names. +If you don't have a need for more than the default namespace, you also do not need more than the **Default** project in Rancher. + +If you require another level of organization beyond the **Default** project, you can create more projects in Rancher to isolate namespaces, applications and resources. + ### The System Project _Available as of v2.0.7_ @@ -112,10 +112,10 @@ The `system` project: # Project Authorization -Non-administrative users are only authorized for project access after an administrator, cluster owner or cluster member explicitly adds them to the project's **Members** tab. +Standard users are only authorized for project access in two situations: ->**Exception:** -> Non-administrative users can access projects that they create themselves. +- An administrator, cluster owner or cluster member explicitly adds the standard user to the project's **Members** tab. +- Standard users can access projects that they create themselves. # Pod Security Policies @@ -123,69 +123,69 @@ Rancher extends Kubernetes to allow the application of [Pod Security Policies](h # Creating Projects +This section describes how to create a new project with a name and with optional pod security policy, members, and resource quotas. + +1. [Name a new project.](#1-name-a-new-project) +2. [Optional: Select a pod security policy.](#2-optional-select-a-pod-security-policy) +3. [Recommended: Add project members.](#3-recommended-add-project-members) +4. [Optional: Add resource quotas.](#4-optional-add-resource-quotas) + +### 1. Name a New Project + 1. From the **Global** view, choose **Clusters** from the main menu. From the **Clusters** page, open the cluster from which you want to create a project. 1. From the main menu, choose **Projects/Namespaces**. Then click **Add Project**. 1. Enter a **Project Name**. -1. **Optional:** Select a **Pod Security Policy**. Assigning a PSP to a project will: +### 2. Optional: Select a Pod Security Policy - - Override the cluster's default PSP. - - Apply the PSP to the project. - - Apply the PSP to any namespaces you add to the project later. +This option is only available if you've already created a Pod Security Policy. For instruction, see [Creating Pod Security Policies]({{}}/rancher/v2.x/en/admin-settings/pod-security-policies/). - >**Note:** This option is only available if you've already created a Pod Security Policy. For instruction, see [Creating Pod Security Policies]({{}}/rancher/v2.x/en/admin-settings/pod-security-policies/). +Assigning a PSP to a project will: -1. **Recommended:** Add project members. +- Override the cluster's default PSP. +- Apply the PSP to the project. +- Apply the PSP to any namespaces you add to the project later. - Use the **Members** section to provide other users with project access and roles. +### 3. Recommended: Add Project Members - By default, your user is added as the project `Owner`. +Use the **Members** section to provide other users with project access and roles. - 1. Click **Add Member**. +By default, your user is added as the project `Owner`. - 1. From the **Name** combo box, search for a user or group that you want to assign project access. +>**Notes on Permissions:** +> +>- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. +>- Choose `Custom` to create a custom role on the fly: [Custom Project Roles]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). - >**Note:** You can only search for groups if external authentication is enabled. +To add members: - 1. From the **Role** drop-down, choose a role. +1. Click **Add Member**. +1. From the **Name** combo box, search for a user or group that you want to assign project access. Note: You can only search for groups if external authentication is enabled. +1. From the **Role** drop-down, choose a role. For more information, refer to the [documentation on project roles.]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) - [What are Roles?]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) +### 4. Optional: Add Resource Quotas - >**Notes:** - > - >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. - > - >- Choose `Custom` to create a custom role on the fly: [Custom Project Roles]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). +_Available as of v2.1.0_ - 1. To add more members, repeat substeps a—c. - -1. **Optional:** Add **Resource Quotas**, which limit the resources that a project (and its namespaces) can consume. For more information, see [Resource Quotas]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas). - - >**Note:** This option is available as of v2.1.0. - - 1. Click **Add Quota**. - - 1. Select a [Resource Type]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas/#resource-quota-types). - - 1. Enter values for the **Project Limit** and the **Namespace Default Limit**. - - | Field | Description | - | ----------------------- | -------------------------------------------------------------------------------------------------------- | - | Project Limit | The overall resource limit for the project. | - | Namespace Default Limit | The default resource limit available for each namespace. This limit is propagated to each namespace in the project. The combined limit of all project namespaces shouldn't exceed the project limit. | - - 1. **Optional:** Repeat these substeps to add more quotas. - -1. **Optional:** Specify **Container Default Resource Limit**, which will be applied to every container started in the project. The parameter is recommended if you have CPU or Memory limits set by the Resource Quota. It can be overridden on per an individual namespace or a container level. For more information, see [Container Default Resource Limit]({{}}/rancher/v2.x/en/project-admin/resource-quotas/#setting-container-default-resource-limit) - >**Note:** This option is available as of v2.2.0. +Resource quotas limit the resources that a project (and its namespaces) can consume. For more information, see [Resource Quotas]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas). +To add a resource quota, +1. Click **Add Quota**. +1. Select a [Resource Type]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas/#resource-quota-types). +1. Enter values for the **Project Limit** and the **Namespace Default Limit**. +1. **Optional:** Specify **Container Default Resource Limit**, which will be applied to every container started in the project. The parameter is recommended if you have CPU or Memory limits set by the Resource Quota. It can be overridden on per an individual namespace or a container level. For more information, see [Container Default Resource Limit]({{}}/rancher/v2.x/en/project-admin/resource-quotas/#setting-container-default-resource-limit) Note: This option is available as of v2.2.0. 1. Click **Create**. **Result:** Your project is created. You can view it from the cluster's **Projects/Namespaces** view. +| Field | Description | +| ----------------------- | -------------------------------------------------------------------------------------------------------- | +| Project Limit | The overall resource limit for the project. | +| Namespace Default Limit | The default resource limit available for each namespace. This limit is propagated to each namespace in the project. The combined limit of all project namespaces shouldn't exceed the project limit. | + # Switching between Clusters and Projects To switch between clusters and projects, use the **Global** drop-down available in the main menu.