In {product-title}, projects are used to group and isolate related objects. As an administrator, you can give developers access to certain projects, allow them to create their own, and give them administrative rights within individual projects.
As a cluster administrator, you can set the cluster-wide default node selector to restrict pod placement to specific nodes.
Edit the master configuration file at /etc/origin/master/master-config.yaml
and add a value for a default node selector. This is applied to the pods created
in all projects without a specified nodeSelector value:
... projectConfig: defaultNodeSelector: "type=user-node,region=east" ...
Restart the OpenShift service for the changes to take effect:
# systemctl restart atomic-openshift-master
To create an individual project with a node selector, use the --node-selector
option when creating a project. For example, if you have an {product-title}
topology with multiple regions, you can use a node selector to restrict specific
{product-title} projects to only deploy pods onto nodes in a specific region.
The following creates a new project named myproject and dictates that pods be
deployed onto nodes labeled user-node and east:
$ oadm new-project myproject \
--node-selector='type=user-node,region=east'
Once this command is run, this becomes the adminstrator-set node selector for all pods contained in the specified project.
|
Note
|
While the |
Using the oadm new-project command adds an annotation section to the
project. You can edit a project, and change the openshift.io/node-selector
value to override the default:
...
metadata:
annotations:
openshift.io/node-selector: type=user-node,region=east
...
If openshift.io/node-selector is set to an empty string (oadm new-project
--node-selector=""), the project will not have an adminstrator-set node
selector, even if the cluster-wide default has been set. This means that, as a
cluster administrator, you can set a default to restrict developer projects to a
subset of nodes and still enable infrastructure or other projects to schedule
the entire cluster.
{product-title} developers can set a node selector on their pod configuration if they wish to restrict nodes even further. This will be in addition to the project node selector, meaning that you can still dictate node selector values for all projects that have a node selector value.
For example, if a project has been created with the above annotation
(openshift.io/node-selector: type=user-node,region=east) and a developer sets
another node selector on a pod in that project, for example
clearance=classified, the pod will only ever be scheduled on nodes that have
all three labels (type=user-node, region=east, and clearance=classified).
If they set region=west on a pod, their pods would be demanding nodes with
labels region=east and region=west, which cannot work. The pods will never
be scheduled, because labels can only be set to one value.
The number of self-provisioned projects requested by a given user can be limited
with the ProjectRequestLimit
admission
control plug-in.
|
Important
|
If your project request template was created in {product-title} 3.1 or earlier
using the process described in
Modifying the Template for New
Projects, then the generated template does not include the annotation
|
In order to specify limits for users, a configuration must be specified for the plug-in within the master configuration file (/etc/origin/master/master-config.yaml). The plug-in configuration takes a list of user label selectors and the associated maximum project requests.
Selectors are evaluated in order. The first one matching the current user will be used to determine the maximum number of projects. If a selector is not specified, a limit applies to all users. If a maximum number of projects is not specified, then an unlimited number of projects are allowed for a specific selector.
The following configuration sets a global limit of 2 projects per user while allowing 10
projects for users with a label of level=advanced and unlimited projects for
users with a label of level=admin.
admissionConfig:
pluginConfig:
ProjectRequestLimit:
configuration:
apiVersion: v1
kind: ProjectRequestLimitConfig
limits:
- selector:
level: admin (1)
- selector:
level: advanced (2)
maxProjects: 10
- maxProjects: 2 (3)-
For selector
level=admin, nomaxProjectsis specified. This means that users with this label will not have a maximum of project requests. -
For selector
level=advanced, a maximum number of 10 projects will be allowed. -
For the third entry, no selector is specified. This means that it will be applied to any user that doesn’t satisfy the previous two rules. Because rules are evaluated in order, this rule should be specified last.
|
Note
|
Managing User and Group Labels provides further guidance on how to add, remove, or show labels for users and groups. |
Once your changes are made, restart {product-title} for the changes to take effect.