If you have a newly created OpenShift / OKD Kubernetes Cluster, users by default can create projects / namespaces without consulting Cluster Administrator. In most setups, you’ll want to disable this feature to ensure cluster compute resources are not misused. And for Developers to follow correct process for Deploying applications onto OpenShift Cluster Environment.

In this guide, we’ll discuss how you’ll disable logged in users from Creating Projects on their own. Instead they’ll see a message telling them to send an email to the relevant team for project creation and permissions granting for them to use the Project.

You should have a working OpenShift Container environment to follow this guide along. Check the guides we have on how to create an OpenShift Clusters:

Setup Local OpenShift 4 Cluster with CodeReady Containers

How To Setup Local OpenShift Origin (OKD) Cluster on CentOS 7

How To run Local Openshift Cluster with Minishift

Disabling project self-provisioning on OpenShift

First view the self-provisioners cluster role binding usage with the command below.

$ oc describe clusterrolebinding.rbac self-provisioners

----
Name:         self-provisioners
Labels:       <none>
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  self-provisioner
Subjects:
  Kind   Name                        Namespace
  ----   ----                        ---------
  Group  system:authenticated:oauth

We need to remove the self-provisioner cluster role from the group system:authenticated:oauth:

 oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'

You should get an output like below:

clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched

If the self-provisioners cluster role binding binds the self-provisioner role to more users, groups, or service accounts than the system:authenticated:oauth group, run the following command:

 oc adm policy \
    remove-cluster-role-from-group self-provisioner \
    system:authenticated:oauth

You can apply the patch directly with the following command:

oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'

Confirm the contents of the self-provisioners cluster role binding:

oc edit clusterrolebinding.rbac self-provisioners

The value should now be set to false.

.....
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "false"
.....

Login as an authenticated user and verify that it can no longer self-provision a project:

$ oc new-project test
Error from server (Forbidden): You may not request a new project via this API.

Customize the project request message on OpenShift

We need to customize the message that OpenShift users will get when they try to create projects from CLI or Web console.

From CLI

Log in as a user with cluster-admin privileges and edit the project.config.openshift.io/cluster resource:

$ oc edit project.config.openshift.io/cluster

Update the projectRequestMessage parameter with the value to your custom message:

projectRequestMessage: "To request a project, contact OpenShift Admin Team at [email protected]"

From Web Dashboard

Open the OpenShift Web console and navigate to the Administration → Cluster Settings page.

openshift prevent users from creating projects 01

Click Global Configuration to view all configuration resources.

openshift prevent users from creating projects 02

Find the entry for Projects

openshift prevent users from creating projects 03

Click on the YAML to edit it.

projectRequestMessage: "To request a project, contact OpenShift Admin Team at [email protected]"

After you save the changes. Users can try creating new projects as a developer or service account and the request won’t go through. The users will get the custom message we just set.

OpenShift Courses:

Practical OpenShift for Developers – New Course 2021

Ultimate Openshift (2021) Bootcamp by School of Devops

More on OpenShift and Kubernetes:

Ceph Persistent Storage for Kubernetes with Cephfs

Persistent Storage for Kubernetes with Ceph RBD

Top Minimal Container Operating Systems for running Kubernetes

How To Install Kubernetes Dashboard with NodePort

How To Create Admin User to Access Kubernetes Dashboard

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

LEAVE A REPLY

Please enter your comment!
Please enter your name here