If you have a newly created OpenShift / OKD Kubernetes Cluster, users by default can create projects / namespaces without consulting Cluster Administrator. In most setups, you’ll want to disable this feature to ensure cluster compute resources are not misused. And for Developers to follow correct process for Deploying applications onto OpenShift Cluster Environment.
In this guide, we’ll discuss how you’ll disable logged in users from Creating Projects on their own. Instead they’ll see a message telling them to send an email to the relevant team for project creation and permissions granting for them to use the Project.
You should have a working OpenShift Container environment to follow this guide along. Check the guides we have on how to create an OpenShift Clusters:
Setup Local OpenShift 4 Cluster with CodeReady Containers
How To Setup Local OpenShift Origin (OKD) Cluster on CentOS 7
How To run Local Openshift Cluster with Minishift
Disabling project self-provisioning on OpenShift
First view the self-provisioners cluster role binding usage with the command below.
$ oc describe clusterrolebinding.rbac self-provisioners
----
Name: self-provisioners
Labels:
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: self-provisioner
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:authenticated:oauth
We need to remove the self-provisioner cluster role from the group system:authenticated:oauth:
oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
You should get an output like below:
clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched
If the self-provisioners cluster role binding binds the self-provisioner role to more users, groups, or service accounts than the system:authenticated:oauth group, run the following command:
oc adm policy
remove-cluster-role-from-group self-provisioner
system:authenticated:oauth
You can apply the patch directly with the following command:
oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'
Confirm the contents of the self-provisioners cluster role binding:
oc edit clusterrolebinding.rbac self-provisioners
The value should now be set to false.
..... metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" .....
Login as an authenticated user and verify that it can no longer self-provision a project:
$ oc new-project test
Error from server (Forbidden): You may not request a new project via this API.
Customize the project request message on OpenShift
We need to customize the message that OpenShift users will get when they try to create projects from CLI or Web console.
From CLI
Log in as a user with cluster-admin privileges and edit the project.config.openshift.io/cluster resource:
$ oc edit project.config.openshift.io/cluster
Update the projectRequestMessage parameter with the value to your custom message:
projectRequestMessage: "To request a project, contact OpenShift Admin Team at [email protected]"
From Web Dashboard
Open the OpenShift Web console and navigate to the Administration → Cluster Settings page.
Click Global Configuration to view all configuration resources.
Find the entry for Projects
Click on the YAML to edit it.
projectRequestMessage: "To request a project, contact OpenShift Admin Team at [email protected]"
After you save the changes. Users can try creating new projects as a developer or service account and the request won’t go through. The users will get the custom message we just set.
More on OpenShift and Kubernetes:
Ceph Persistent Storage for Kubernetes with Cephfs
Persistent Storage for Kubernetes with Ceph RBD
Top Minimal Container Operating Systems for running Kubernetes