From d9ffa615b89ecf667dd9bd5c14ad7d9f4b8d0e05 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Dec 2019 16:10:44 -0700 Subject: [PATCH 1/2] Say how to avoid creating unusable namespaces with kubectl --- .../projects-and-namespaces/_index.md | 18 +++++++++++++++++- .../v2.x/en/project-admin/namespaces/_index.md | 6 ++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md b/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md index f73a3549054..fe28fb09f45 100644 --- a/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md @@ -48,7 +48,9 @@ You can assign the following resources directly to namespaces: - [Registries]({{}}/rancher/v2.x/en/k8s-in-rancher/registries/) - [Secrets]({{}}/rancher/v2.x/en/k8s-in-rancher/secrets/) ->**Note:** Although you can assign role-based access to namespaces in the base version of Kubernetes, you cannot assign roles to namespaces in Rancher. Instead, assign role-based access at the project level. +To manage permissions in a vanilla Kubernetes cluster, cluster admins configure role-based access policies for each namespace. With Rancher user permissions are assigned on the project level instead and automatically inherited by any namespace owned by the particular project. + +> **Note:** If you create a namespace with `kubectl`, it may be unusable because `kubectl` doesn't require your new namespace to be scoped within a project that you have access to. If your permissions are restricted to the project level, it is better to [create a namespace through Rancher]({{}}/rancher/v2.x/en/project-admin/namespaces/#creating-namespaces) to ensure that you will have permission to access the namespace. For more information on creating and moving namespaces, see [Namespaces]({{}}/rancher/v2.x/en/project-admin/namespaces/). @@ -58,6 +60,20 @@ Within Rancher, a project can contain multiple namespaces and access control pol A project is a concept introduced by Rancher that allows you manage multiple namespaces as a group and perform Kubernetes operations in them. The Rancher UI provides features for [project administration]({{}}/rancher/v2.x/en/project-admin/) and for [managing applications within projects.]({{}}/rancher/v2.x/en/k8s-in-rancher/) +This section covers the following topics: + +- [Projects](#projects) + - [Default project](#default-project) + - [System project](#system-project) + - [Authorization](#authorization) + - [Pod security policies](#pod-security-policies) + - [Creating projects](#creating-projects) +- [Switching between clusters and projects](#switching-between-clusters-and-projects) +- [Namespaces](#namespaces) + + +# Projects + In terms of hierarchy: - Clusters contain projects diff --git a/content/rancher/v2.x/en/project-admin/namespaces/_index.md b/content/rancher/v2.x/en/project-admin/namespaces/_index.md index ef84e757bbe..4accfd0920e 100644 --- a/content/rancher/v2.x/en/project-admin/namespaces/_index.md +++ b/content/rancher/v2.x/en/project-admin/namespaces/_index.md @@ -18,13 +18,15 @@ Resources that you can assign directly to namespaces include: - [Registries]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/registries/) - [Secrets]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/secrets/) ->**Note:** Although you can assign role-based access to namespaces in the base version of Kubernetes, you cannot assign roles to namespaces in Rancher. Instead, assign role-based access at the project level. +Although you can assign role-based access to namespaces in the base version of Kubernetes, you cannot assign roles to namespaces in Rancher. Instead, assign role-based access at the project level. + +> **Note:** If you create a namespace with `kubectl`, it may be unusable because `kubectl` doesn't require your new namespace to be scoped within a project that you have access to. If your permissions are restricted to the project level, it is better to [create a namespace through Rancher](#creating-namespaces) to ensure that you will have permission to access the namespace. ### Creating Namespaces Create a new namespace to isolate apps and resources in a project. ->**Tip:** When working with project resources that you can assign to a namespace (i.e., [workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/), [certificates]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/certificates/), [ConfigMaps]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/configmaps), etc.) you can create a namespace on the fly. +When working with project resources that you can assign to a namespace (i.e., [workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/), [certificates]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/certificates/), [ConfigMaps]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/configmaps), etc.) you can create a namespace on the fly. 1. From the **Global** view, open the project where you want to create a namespace. From 06142f5982702633444d796b34190da97d64bc93 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 21 Feb 2020 10:43:58 -0700 Subject: [PATCH 2/2] Edit projects page --- .../projects-and-namespaces/_index.md | 24 +++---------------- .../en/project-admin/namespaces/_index.md | 5 ++-- 2 files changed, 6 insertions(+), 23 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md b/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md index fe28fb09f45..bf9c640651b 100644 --- a/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md @@ -48,7 +48,7 @@ You can assign the following resources directly to namespaces: - [Registries]({{}}/rancher/v2.x/en/k8s-in-rancher/registries/) - [Secrets]({{}}/rancher/v2.x/en/k8s-in-rancher/secrets/) -To manage permissions in a vanilla Kubernetes cluster, cluster admins configure role-based access policies for each namespace. With Rancher user permissions are assigned on the project level instead and automatically inherited by any namespace owned by the particular project. +To manage permissions in a vanilla Kubernetes cluster, cluster admins configure role-based access policies for each namespace. With Rancher, user permissions are assigned on the project level instead, and permissions are automatically inherited by any namespace owned by the particular project. > **Note:** If you create a namespace with `kubectl`, it may be unusable because `kubectl` doesn't require your new namespace to be scoped within a project that you have access to. If your permissions are restricted to the project level, it is better to [create a namespace through Rancher]({{}}/rancher/v2.x/en/project-admin/namespaces/#creating-namespaces) to ensure that you will have permission to access the namespace. @@ -56,24 +56,6 @@ For more information on creating and moving namespaces, see [Namespaces]({{}}/rancher/v2.x/en/project-admin/) and for [managing applications within projects.]({{}}/rancher/v2.x/en/k8s-in-rancher/) - -This section covers the following topics: - -- [Projects](#projects) - - [Default project](#default-project) - - [System project](#system-project) - - [Authorization](#authorization) - - [Pod security policies](#pod-security-policies) - - [Creating projects](#creating-projects) -- [Switching between clusters and projects](#switching-between-clusters-and-projects) -- [Namespaces](#namespaces) - - -# Projects - In terms of hierarchy: - Clusters contain projects @@ -83,9 +65,9 @@ You can use projects to support multi-tenancy, so that a team can access a proje In the base version of Kubernetes, features like role-based access rights or cluster resources are assigned to individual namespaces. A project allows you to save time by giving an individual or a team access to multiple namespaces simultaneously. -You can use projects to perform actions like: +You can use projects to perform actions such as: -- Assign users access to a group of namespaces (i.e., [project membership]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/project-members)). +- Assign users to a group of namespaces (i.e., [project membership]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/project-members)). - Assign users specific roles in a project. A role can be owner, member, read-only, or [custom]({{}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/). - Assign resources to the project. - Assign Pod Security Policies. diff --git a/content/rancher/v2.x/en/project-admin/namespaces/_index.md b/content/rancher/v2.x/en/project-admin/namespaces/_index.md index 4accfd0920e..b8a400c9a79 100644 --- a/content/rancher/v2.x/en/project-admin/namespaces/_index.md +++ b/content/rancher/v2.x/en/project-admin/namespaces/_index.md @@ -18,9 +18,10 @@ Resources that you can assign directly to namespaces include: - [Registries]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/registries/) - [Secrets]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/secrets/) -Although you can assign role-based access to namespaces in the base version of Kubernetes, you cannot assign roles to namespaces in Rancher. Instead, assign role-based access at the project level. +To manage permissions in a vanilla Kubernetes cluster, cluster admins configure role-based access policies for each namespace. With Rancher, user permissions are assigned on the project level instead, and permissions are automatically inherited by any namespace owned by the particular project. + +> **Note:** If you create a namespace with `kubectl`, it may be unusable because `kubectl` doesn't require your new namespace to be scoped within a project that you have access to. If your permissions are restricted to the project level, it is better to [create a namespace through Rancher]({{}}/rancher/v2.x/en/project-admin/namespaces/#creating-namespaces) to ensure that you will have permission to access the namespace. -> **Note:** If you create a namespace with `kubectl`, it may be unusable because `kubectl` doesn't require your new namespace to be scoped within a project that you have access to. If your permissions are restricted to the project level, it is better to [create a namespace through Rancher](#creating-namespaces) to ensure that you will have permission to access the namespace. ### Creating Namespaces