项目

创建项目

项目资源只能在管理集群上创建,请参考下文了解如何在管理集群中的项目下创建命名空间

创建一个基本项目

kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: Project
metadata:
  generateName: p-
  namespace: c-m-abcde
spec:
  clusterName: c-m-abcde
  displayName: myproject
EOF

使用 metadata.generateName 来确保一个唯一的项目 ID,但是需要注意 kubectl apply 不能与 metadata.generateName 一起使用,因此必须使用 kubectl create 来替代。

metadata.namespacespec.clusterName 设置为项目所属的集群 ID。

如果你通过集群成员账户创建项目,则必须包含注释 field.cattle.io/creatorId,并将注释值设置为集群成员账号的用户 ID。

kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: Project
metadata:
  annotations:
  field.cattle.io/creatorId:
    user-id
  generateName: p-
  namespace: c-m-abcde
spec:
  clusterName: c-m-abcde
  displayName: myproject
EOF

设置 field.cattle.io/creatorId 字段允许集群成员账户通过 get 命令查看项目资源,并可以在 Rancher UI 中查看项目。集群所有者和管理员账号不需要设置此注释。

Setting the field.cattle.io/creator-principal-name annotation to the user’s principal preserves it in a projectroletemplatebinding automatically created for the project owner.

If you don’t want the creator to be added as the owner member (e.g., if the creator is a cluster administrator) to the project you may set the field.cattle.io/no-creator-rbac annotation to true, which will prevent the corresponding projectroletemplatebinding from being created.

创建一个具有 Resource Quota 的项目

kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: Project
metadata:
  generateName: p-
  namespace: c-m-abcde
spec:
  clusterName: c-m-abcde
  displayName: myproject
  resourceQuota:
    limit:
      limitsCpu: 1000m
  namespaceDefaultResourceQuota:
    limit:
      limitsCpu: 50m
EOF

创建一个具有 Container Limit Ranges 的项目

kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: Project
metadata:
  generateName: p-
  namespace: c-m-abcde
spec:
  clusterName: c-m-abcde
  displayName: myproject
  containerDefaultResourceLimit:
    limitsCpu:    100m
    limitsMemory: 100Mi
    requestsCpu:  50m
    requestsMemory: 50Mi
EOF

Adding a Member to a Project

Look up the project ID to specify the metadata.namespace field and projectName field values.

kubectl --namespace c-m-abcde get projects

Look up the role template ID to specify the roleTemplateName field value (e.g. project-member or project-owner).

kubectl get roletemplates

When adding a user member specify the userPrincipalName field:

kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: ProjectRoleTemplateBinding
metadata:
  generateName: prtb-
  namespace: p-vwxyz
projectName: c-m-abcde:p-vwxyz
roleTemplateName: project-member
userPrincipalName: keycloak_user://user
EOF

When adding a group member specify the groupPrincipalName field instead:

kubectl create -f - <<EOF
apiVersion: management.cattle.io/v3
kind: ProjectRoleTemplateBinding
metadata:
  generateName: prtb-
  namespace: p-vwxyz
projectName: c-m-abcde:p-vwxyz
roleTemplateName: project-member
groupPrincipalName: keycloak_group://group
EOF

Create a projectroletemplatebinding for each role you want to assign to the project member.

Listing Project Members

Look up the project ID:

kubectl --namespace c-m-abcde get projects

to list projectroletemplatebindings in the project’s namespace:

kubectl --namespace p-vwxyz get projectroletemplatebindings

Deleting a Member From a Project

Lookup the projectroletemplatebinding IDs containing the member in the project’s namespace as decribed in the [Listing Project Members](#listing-project-members) section.

Delete the projectroletemplatebinding from the project’s namespace:

kubectl --namespace p-vwxyz delete projectroletemplatebindings prtb-qx874 prtb-7zw7s

在项目中创建命名空间

项目资源保存在管理集群中,即使该项目使用于托管集群也是如此。项目下的命名空间保存在托管集群中。

在管理集群上查找你正在管理的集群的项目 ID,因为它是使用 metadata.generateName 生成的:

kubectl --namespace c-m-abcde get projects

在托管集群上,使用项目注释创建命名空间:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
  name: mynamespace
  annotations:
    field.cattle.io/projectId: c-m-abcde:p-vwxyz
EOF

注意格式:<cluster ID>:<project ID>

删除项目

在集群命名空间中查找要删除的项目:

kubectl --namespace c-m-abcde get projects

删除集群命名空间下的项目:

kubectl --namespace c-m-abcde delete project p-vwxyz

请注意此命令不会删除以前属于该项目的命名空间和资源。