If you have a newly created OpenShift / OKD Kubernetes Cluster, users by default can create projects / namespaces without consulting Cluster Administrator. In most setups, you’ll want to disable this feature to ensure cluster compute resources are not misused. And for Developers to follow correct process for Deploying applications onto OpenShift Cluster Environment.

In this guide, we’ll discuss how you’ll disable logged in users from Creating Projects on their own. Instead they’ll see a message telling them to send an email to the relevant team for project creation and permissions granting for them to use the Project.

You should have a working OpenShift Container environment to follow this guide along. Check the guides we have on how to create an OpenShift Clusters:

Setup Local OpenShift 4 Cluster with CodeReady Containers

How To Setup Local OpenShift Origin (OKD) Cluster on CentOS 7

How To run Local Openshift Cluster with Minishift

Disabling project self-provisioning on OpenShift

First view the self-provisioners cluster role binding usage with the command below.

$ oc describe clusterrolebinding.rbac self-provisioners

----
Name:         self-provisioners
Labels:       
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  self-provisioner
Subjects:
  Kind   Name                        Namespace
  ----   ----                        ---------
  Group  system:authenticated:oauth

We need to remove the self-provisioner cluster role from the group system:authenticated:oauth:

 oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'

You should get an output like below:

clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched

If the self-provisioners cluster role binding binds the self-provisioner role to more users, groups, or service accounts than the system:authenticated:oauth group, run the following command:

 oc adm policy 
    remove-cluster-role-from-group self-provisioner 
    system:authenticated:oauth

You can apply the patch directly with the following command:

oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'

Confirm the contents of the self-provisioners cluster role binding:

oc edit clusterrolebinding.rbac self-provisioners

The value should now be set to false.

.....
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "false"
.....

Login as an authenticated user and verify that it can no longer self-provision a project:

$ oc new-project test
Error from server (Forbidden): You may not request a new project via this API.

Customize the project request message on OpenShift

We need to customize the message that OpenShift users will get when they try to create projects from CLI or Web console.

From CLI

Log in as a user with cluster-admin privileges and edit the project.config.openshift.io/cluster resource:

$ oc edit project.config.openshift.io/cluster

Update the projectRequestMessage parameter with the value to your custom message:

projectRequestMessage: "To request a project, contact OpenShift Admin Team at [email protected]"

From Web Dashboard

Open the OpenShift Web console and navigate to the Administration → Cluster Settings page.

<img alt="" data-ezsrc="https://kirelos.com/wp-content/uploads/2020/03/echo/openshift-prevent-users-from-creating-projects-01-1024×288.png" data-ez ezimgfmt="rs rscb8 src ng ngcb8 srcset" src="data:image/svg xml,”>

Click Global Configuration to view all configuration resources.

<img alt="" data-ezsrc="https://kirelos.com/wp-content/uploads/2020/03/echo/openshift-prevent-users-from-creating-projects-02-1024×477.png" data-ez ezimgfmt="rs rscb8 src ng ngcb8 srcset" src="data:image/svg xml,”>

Find the entry for Projects

<img alt="" data-ezsrc="https://kirelos.com/wp-content/uploads/2020/03/echo/openshift-prevent-users-from-creating-projects-03-1024×487.png" data-ez ezimgfmt="rs rscb8 src ng ngcb8 srcset" src="data:image/svg xml,”>

Click on the YAML to edit it.

projectRequestMessage: "To request a project, contact OpenShift Admin Team at [email protected]"

After you save the changes. Users can try creating new projects as a developer or service account and the request won’t go through. The users will get the custom message we just set.

More on OpenShift and Kubernetes:

Ceph Persistent Storage for Kubernetes with Cephfs

Persistent Storage for Kubernetes with Ceph RBD

Top Minimal Container Operating Systems for running Kubernetes

How To Install Kubernetes Dashboard with NodePort

How To Create Admin User to Access Kubernetes Dashboard