Projects and Namespaces
Projects are organizational objects introduced in Rancher that ease the administrative burden of your cluster. You can use projects to support multi-tenancy.
Projects provide an extra level of organization in your Kubernetes clusters beyond namespaces. In terms of hierarchy:
- Clusters contain projects.
- Projects contain namespaces.
Within Rancher, projects allow you manage multiple namespaces as a single entity. In the base version of Kubernetes, which does not include projects, features like role-based access rights or cluster resources are assigned to individual namespaces. In clusters where multiple namespaces require the same set of access rights, assigning these rights to each individual namespace can become tedious. Even though all namespaces require the same rights, there’s no way to apply those rights to all of your namespaces in a single action. You’d have to repetitively assign these rights to each namespace!
Rancher projects resolve this issue by allowing you to apply resources and access rights at the project level. Each namespace in the project then inherits these resources and policies, so you only have to assign them to the project once, rather than assigning them to each namespace.
You can use projects to perform actions like:
- Assign users access to a group of namespaces (i.e., project membership).
- Assign users specific roles in a project. A role can be owner, member, read-only, or custom.
- Assign resources to the project.
- Assign Pod Security Policies.
When you create a cluster, two project are automatically created within it:
When you provision a cluster, it automatically creates a
default project for the cluster. This is a project you can use to get started with your cluster, but you can always delete it and replace it with projects that have more descriptive names.
available as of v2.0.7
When troubleshooting, you can view the
system project to check if important namespaces in the Kubernetes system are working properly. This easily accessible project saves you from troubleshooting individual system namespace containers.
To open it, open the Global menu, and then select the
system project for your cluster.
- Is automatically created when you provision a cluster.
- Lists all namespaces that exist in
v3/settings/system-namespaces, if they exist.
- Allows you to add more namespaces or move its namespaces to other projects.
- Cannot be deleted because it’s required for cluster operations.
Note: In clusters where both:
- The Canal network plug-in is in use.
- The Project Network Isolation option is enabled.
systemproject overrides the Project Network Isolation option so that it can communicate with other projects, collect logs, and check health.
Non-administrative users are only authorized for project access after an administrator explicitly adds them to the project’s Members tab.
Exception: Non-administrative users can access projects that they create themselves.
Pod Security Policies
Rancher extends Kubernetes to allow the application of Pod Security Policies at the project level in addition to the cluster level. However, as a best practice, we recommend applying Pod Security Policies at the cluster level.
From the Global view, choose Clusters from the main menu. From the Clusters page, open the cluster from which you want to create a project.
From the main menu, choose Projects/Namespaces. Then click Add Project.
Enter a Project Name.
Optional: Select a Pod Security Policy. Assigning a PSP to a project will:
- Override the cluster’s default PSP.
- Apply the PSP to the project.
- Apply the PSP to any namespaces you add to the project later.
Note: This option is only available if you’ve already created a Pod Security Policy. For instruction, see Creating Pod Security Policies.
Recommended: Add project members.
Use the Members section to provide other users with project access and roles.
By default, your user is added as the project
Click Add Member.
From the Name combo box, search for a user or group that you want to assign project access.
Note: You can only search for groups if external authentication is enabled.
From the Role drop-down, choose a role.
Users assigned the
Memberrole for a project automatically inherit the
namespace creationrole. However, this role is a Kubernetes ClusterRole, meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the
Memberrole for a project can create namespaces in other projects they’re assigned to, even with only the
Read Onlyrole assigned.
Customto create a custom role on the fly: Custom Project Roles.
To add more members, repeat substeps a—c.
Optional: Add Resource Quotas, which limit the resources that a project (and its namespaces) can consume. For more information, see Resource Quotas.
Note: This option is only available in v2.1.0 and later.
Click Add Quota.
Select a Resource Type.
Enter values for the Project Limit and the Namespace Default Limit.
Field Description Project Limit The overall resource limit for the project. Namespace Default Limit The default resource limit available for each namespace. This limit is propagated to each namespace in the project. The combined limit of all project namespaces shouldn’t exceed the project limit.
Optional: Repeat these substeps to add more quotas.
Result: Your project is created. You can view it from the cluster’s Projects/Namespaces view.
To switch between clusters and projects, use the Global drop-down available in the main menu.
Alternatively, you can switch between projects and clusters using the main menu.
- To switch between clusters, open the Global view and select Clusters from the main menu. Then open a cluster.
- To switch between projects, open a cluster, and then select Projects/Namespaces from the main menu. Select the link for the project that you want to open.
Within Rancher, you can further divide projects into different namespaces, which are virtual clusters within a project backed by a physical cluster. Should you require another level of organization beyond projects and the
default namespace, you can use multiple namespaces to isolate applications and resources.
Although you assign resources at the project level so that each namespace can in the project can use them, you can override this inheritance by assigning resources explicitly to a namespace.
Resources that you can assign directly to namespaces include:
- Load Balancers/Ingress
- Service Discovery Records
- Persistent Volume Claims
Note: Although you can assign role-based access to namespaces in the base version of Kubernetes, you cannot assign roles to namespaces in Rancher. Instead, assign role-based access at the project level.
Create a new namespace to isolate apps and resources in a project.
From the Global view, open the project where you want to create a namespace.
Tip: As a best practice, we recommend creating namespaces from the project level. However, cluster owners and members can can create them from the cluster level as well.
From the main menu, select Namespace. The click Add Namespace.
Optional: If your project has Resource Quotas in effect, you can override the default resource Limits (which places a cap on the resources that the namespace can consume).
Enter a Name and then click Create.
Result: Your namespace is added to the project. You can begin assigning cluster resources to the namespace.
Moving Namespaces to Another Project
Cluster admins and members may occasionally need to move a namespace to another project, such as when you want a different team to start using the application.
From the Global view, open the cluster that contains the namespace you want to move.
From the main menu, select Projects/Namespaces.
Select the namespace(s) that you want to move to a different project. Then click Move. You can move multiple namespaces at one.
- Don’t move the namespaces in the
Systemproject. Moving these namespaces can adversely affect cluster networking.
- You cannot move a namespace into a project that already has a resource quota configured.
- If you move a namespace from a project that has a quota set to a project with no quota set, the quota is removed from the namespace.
- Don’t move the namespaces in the
Choose a new project for the new namespace and then click Move. Alternatively, you can remove the namespace from all projects by selecting None.
Result: Your namespace is moved to a different project (or is unattached from all projects). If any project resources are attached to the namespace, the namespace releases them and then attached resources from the new project.
Editing Namespace Resource Quotas
If there is a resource quota configured for a project, you can override the namespace default limit to provide a specific namespace with access to more (or less) project resources.
From the Global view, open the cluster that contains the namespace for which you want to edit the resource quota.
From the main menu, select Projects/Namespaces.
Find the namespace for which you want to edit the resource quota. Select Ellipsis (…) > Edit.
Edit the Resource Quota Limits. These limits determine the resources available to the namespace. The limits must be set within the configured project limits.
For more information about each Resource Type, see Resource Quota Types.
- If a resource quota is not configured for the project, these options will not be available.
- If you enter limits that exceed the configured project limits, Rancher will not let you save your edits.
Result: The namespace’s default resource quota is overwritten with your override.