项目
创建项目
项目资源只能在管理集群上创建,请参考下文了解如何在管理集群中的项目下创建命名空间
创建一个基本项目
kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: Project
metadata:
generateName: p-
namespace: c-m-abcde
spec:
clusterName: c-m-abcde
displayName: myproject
EOF
使用 metadata.generateName
来确保一个唯一的项目 ID,但是需要注意 kubectl apply
不能与 metadata.generateName
一起使用,因此必须使用 kubectl create
来替代。
将 metadata.namespace
和 spec.clusterName
设置为项目所属的集群 ID。
如果你通过集群成员账户创建项目,则必须包含注释 field.cattle.io/creatorId
,并将注释值设置为集群成员账号的用户 ID。
kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: Project
metadata:
annotations:
field.cattle.io/creatorId:
user-id
generateName: p-
namespace: c-m-abcde
spec:
clusterName: c-m-abcde
displayName: myproject
EOF
设置 field.cattle.io/creatorId
字段允许集群成员账户通过 get
命令查看项目资源,并可以在 Rancher UI 中查看项目。集群所有者和管理员账号不需要设置此注释。
Setting the field.cattle.io/creator-principal-name
annotation to the user’s principal preserves it in a projectroletemplatebinding automatically created for the project owner.
If you don’t want the creator to be added as the owner member (e.g., if the creator is a cluster administrator) to the project you may set the field.cattle.io/no-creator-rbac
annotation to true
, which will prevent the corresponding projectroletemplatebinding from being created.
创建一个具有 Resource Quota 的项目
kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: Project
metadata:
generateName: p-
namespace: c-m-abcde
spec:
clusterName: c-m-abcde
displayName: myproject
resourceQuota:
limit:
limitsCpu: 1000m
namespaceDefaultResourceQuota:
limit:
limitsCpu: 50m
EOF
创建一个具有 Container Limit Ranges 的项目
kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: Project
metadata:
generateName: p-
namespace: c-m-abcde
spec:
clusterName: c-m-abcde
displayName: myproject
containerDefaultResourceLimit:
limitsCpu: 100m
limitsMemory: 100Mi
requestsCpu: 50m
requestsMemory: 50Mi
EOF
Adding a Member to a Project
Look up the project ID to specify the metadata.namespace
field and projectName
field values.
kubectl --namespace c-m-abcde get projects
Look up the role template ID to specify the roleTemplateName
field value (e.g. project-member
or project-owner
).
kubectl get roletemplates
When adding a user member specify the userPrincipalName
field:
kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: ProjectRoleTemplateBinding
metadata:
generateName: prtb-
namespace: p-vwxyz
projectName: c-m-abcde:p-vwxyz
roleTemplateName: project-member
userPrincipalName: keycloak_user://user
EOF
When adding a group member specify the groupPrincipalName
field instead:
kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: ProjectRoleTemplateBinding
metadata:
generateName: prtb-
namespace: p-vwxyz
projectName: c-m-abcde:p-vwxyz
roleTemplateName: project-member
groupPrincipalName: keycloak_group://group
EOF
Create a projectroletemplatebinding for each role you want to assign to the project member.
Listing Project Members
Look up the project ID:
kubectl --namespace c-m-abcde get projects
to list projectroletemplatebindings in the project’s namespace:
kubectl --namespace p-vwxyz get projectroletemplatebindings
Deleting a Member From a Project
Lookup the projectroletemplatebinding IDs containing the member in the project’s namespace as decribed in the [Listing Project Members](#listing-project-members) section.
Delete the projectroletemplatebinding from the project’s namespace:
kubectl --namespace p-vwxyz delete projectroletemplatebindings prtb-qx874 prtb-7zw7s
在项目中创建命名空间
项目资源保存在管理集群中,即使该项目使用于托管集群也是如此。项目下的命名空间保存在托管集群中。
在管理集群上查找你正在管理的集群的项目 ID,因为它是使用 metadata.generateName
生成的:
kubectl --namespace c-m-abcde get projects
在托管集群上,使用项目注释创建命名空间:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: mynamespace
annotations:
field.cattle.io/projectId: c-m-abcde:p-vwxyz
EOF
注意格式:<cluster ID>:<project ID>