Over the past few years, I have been diving deep into the world of Kubernetes, wearing both the Application Developer and Administrator hats while handling a series of Kubernetes and RedHat Openshifts clusters.

Based on this experience, this post marks the first of a series of Kubernetes related content that aims to provide useful information regarding common tasks everyone dealing with Kubernetes will probably make use of at some point.

To kick things off, today’s topic explains how to create Openshift default project templates. These templates are useful for Openshift administrators that want to avoid the need to manage individual projects in isolation. By making use of project templates, every project created on the system will adhere to the resources defined by the template, removing the need for manual project configuration.

The Use Case

Imagine a shared OpenShift cluster that is used by Dev and QA teams, and that as part of their work, each team will create a series of different projects for their workloads. Assuming the OpenShift cluster has limited resources and its administrator wants to configure the environment in such a way to be as stable as possible, a Project Templateis the feature that fits the purpose as it can limit the number of resources a project can host directly at creation time.

A Project Template can be used to auto-configure resources such as [Quotas, LimitRanges, NetworkPolicies,…], meaning that newly created projects will automatically restrict the project according to the resources imposed by the template.

For our use case, let’s assume the following requirements:

• Limit the project to start a maximum of 40 pods* Limit the project to consume a maximum of 2 CPUs
• Limit the project to consume a maximum of 5GB of memory
• Each container requests a minimum of 10 millicores of CPU
• Each container is limited to a maximum of 200 millicores of CPU

In summary, whenever a new project creation occurs, the project should automatically inherit the restrictions imposed by the template.

Creating a Project Template

The following are the steps involved in creating a project template:

Step 1

As a cluster administrator user, generate the skeleton of the template resource with the following command:

oc adm create-bootstrap-project-template -o yaml > /tmp/template.yaml

Step 2

The command from step 1 will output a blank template to a file so it can be customised according to our use case. Once the generated, change it so that it includes the ResourceQuota and LimitRange resources definitions.

We can achieve this by appending the following blocks in the template file right above the parameters: line.

- apiVersion: v1
  kind: ResourceQuota
  metadata:
    name: ${PROJECT_NAME}-quota
  spec:
    hard:
      cpu: "2"
      memory: 5Gi
      pods: "40"
- apiVersion: "v1"
  kind: "LimitRange"
  metadata:
    name: ${PROJECT_NAME}-limit-range
  spec:
    limits:
      - type: "Container"
        default:
          cpu: "200m"
        defaultRequest:
          cpu: "10m"   

The full code snippet can be found on this Gist.

Step 3

Apply the project template file in the openshift-config namespace.

oc apply -f /tmp/template.yaml -n openshift-config

Step 4

Once the project template is in place, we must update the specification of the resource projects.config.openshift.io/cluster to define we want to make use of the template that has been just created.

To achieve that, first edit the mentioned resource:

$ oc edit projects.config.openshift.io/cluster

Then alter its spec block:

spec:
projectRequestTemplate:
name: project-request

Note that the name project-request is the default name given by the skeleton template generated by the oc adm create-bootstrap-project-template command. You could also have changed it to any resource name you would prefer.

Step 5

Once we edit the resource, we must wait for the openshift-apiserver operator to reconcile its pods so it propagated our changes. It may take a few minutes for the operator to reconcile, and you can follow the progress with the following command:

$ oc get pod -n openshift-apiserver -w

Once the openshift-apiserver pods restart, our project template is in place and ready for use.

Testing the Project Template

Testing our template is as simple as creating a project, so let’s do so by creating a project named test-template with the command that follows:

oc new-project test-template

Once created, the new project should also inherit the configuration from the template we just created, which can be confirmed by the following commands:

$ oc get quota

NAME CREATED AT
test-template-limit-range 2022-01-16T07:47:55Z

and

$ oc get limitrange

NAME AGE REQUEST LIMIT
test-template-limit-range 16s cpu:0/2, memory: 0/5Gi, pods: 0/40

As expected, our new project automatically created the resource quota and limit range resources we defined in our project template.

Conclusion

A project template is an important OpenShift feature that can save an administrator some precious time, especially when dealing with large clusters shared by many teams. This post covered the steps that once taken will auto-onboard limiting resources such as resource quotas and limit ranges automatically upon project creation.

If interested, you can learn more about OpenShift projects configuration and its extra features in the official Openshift Documentation.

Stay tuned for more Kubernetes and OpenShift related content.