Projects and Namespaces
Projects are organizational objects introduced in Rancher that ease the administrative burden of your cluster. You can use projects to support multi-tenancy.
Projects provide an extra level of organization in your Kubernetes clusters beyond namespaces. In terms of hierarchy:
- Clusters contain projects.
- Projects contain namespaces.
Within Rancher, projects allow you manage multiple namespaces as a single entity. In the base version of Kubernetes, which does not include projects, features like role-based access rights or cluster resources are assigned to individual namespaces. In clusters where multiple namespaces require the same set of access rights, assigning these rights to each individual namespace can become tedious. Even though all namespaces require the same rights, there’s no way to apply those rights to all of your namespaces in a single action. You’d have to repetitively assign these rights to each namespace!
Rancher projects resolve this issue by allowing you to apply resources and access rights at the project level. Each namespace in the project then inherits these resources and policies, so you only have to assign them to the project once, rather than assigning them to each namespace.
You can use projects to perform actions like:
- Assign users access to a group of namespaces (i.e., project membership).
- Assign users specific roles in a project. A role can be owner, member, read-only, or custom.
- Assign resources to the project.
- Assign Pod Security Policies.
When you create a cluster, two project are automatically created within it:
When you provision a cluster, it automatically creates a
default project for the cluster. This is a project you can use to get started with your cluster, but you can always delete it and replace it with projects that have more descriptive names.
available as of v2.0.7
When troubleshooting, you can view the
system project to check if important namespaces in the Kubernetes system are working properly. This easily accessible project saves you from troubleshooting individual system namespace containers.
To open it, open the Global menu, and then select the
system project for your cluster.
- Is automatically created when you provision a cluster.
- Lists all namespaces that exist in
v3/settings/system-namespaces, if they exist.
- Allows you to add more namespaces or move its namespaces to other projects.
- Cannot be deleted because it’s required for cluster operations.
Note: In clusters where both:
- The Canal network plug-in is in use.
- The Project Network Isolation option is enabled.
systemproject overrides the Project Network Isolation option so that it can communicate with other projects, collect logs, and check health.
Non-administrative users are only authorized for project access after an administrator explicitly adds them to the project’s Members tab.
Exception: Non-administrative users can access projects that they create themselves.
Pod Security Policies
Rancher extends Kubernetes to allow the application of Pod Security Policies at the project level in addition to the cluster level. However, as a best practice, we recommend applying Pod Security Policies at the cluster level.
From the Global view, choose Clusters from the main menu. From the Clusters page, open the cluster from which you want to create a project.
From the main menu, choose Projects/Namespaces. Then click Add Project.
Enter a Project Name.
Optional: Select a Pod Security Policy. Assigning a PSP to a project will:
- Override the cluster’s default PSP.
- Apply the PSP to the project.
- Apply the PSP to any namespaces you add to the project later.
Note: This option is only available if you’ve already created a Pod Security Policy. For instruction, see Creating Pod Security Policies.
Recommended: Add project members.
Use the Members accordion to provide other users with project access and roles.
By default, your user is added as the project
Click Add Member.
From the Name combo box, search for a user or group that you want to assign project access.
Note: You can only search for groups if external authentication is enabled.
From the Role drop-down, choose a role.
Tip: Choose Custom to create a custom role on the fly: Custom Project Roles.
To add more members, repeat substeps a—c.
Result: Your project is created. You can view it from the cluster’s Projects/Namespaces view.
To switch between clusters and projects, use the Global drop-down available in the main menu.
Alternatively, you can switch between projects and clusters using the main menu.
- To switch between clusters, open the Global view and select Clusters from the main menu. Then open a cluster.
- To switch between projects, open a cluster, and then select Projects/Namespaces from the main menu. Select the link for the project that you want to open.
Within Rancher, you can further divide projects into different namespaces, which are virtual clusters within a project backed by a physical cluster. Should you require another level of organization beyond projects and the
default namespace, you can use multiple namespaces to isolate applications and resources.
Although you assign resources at the project level so that each namespace can in the project can use them, you can override this inheritance by assigning resources explicitly to a namespace.
Resources that you can assign directly to namespaces include:
- Load Balancers/Ingress
- Service Discovery Records
- Persistent Volume Claims
Note: Although you can assign role-based access to namespaces in the base version of Kubernetes, you cannot assign roles to namespaces in Rancher. Instead, assign role-based access at the project level.
Create a new namespace to isolate apps and resources in a project.
From the Global view, open the project where you want to create a namespace.
Tip: As a best practice, we recommend creating namespaces from the project level. However, cluster owners and members can can create them from the cluster level as well.
From the main menu, select Namespace. The click Add Namespace.
Enter a Name and then click Create.
Result: Your namespace is added to the project. You can begin assigning cluster resources to the namespace.
Moving Namespaces to Another Project
Cluster admins and members may occasionally need to move a namespace to another project, such as when you want a different team to start using the application.
From the Global view, open the cluster that contains the namespace you want to move.
From the main menu, select Projects/Namespaces.
Select the namespace(s) that you want to move to a different project. Then click Move. You can move multiple namespaces at one.
Note: Don’t move the namespaces in the
Systemproject. Moving these namespaces can adversely affect cluster networking.
Choose a new project for the new namespace and then click Move. Alternatively, you can remove the namespace from all projects by selecting None.
Result: Your namespace is moved to a different project (or is unattached from all projects). If any project resources are attached to the namespace, the namespace releases them and then attached resources from the new project.