Illumina Innovates with Rancher and Kubernetes
After projects are created, there are certain aspects that can be changed later.
Following project creation, you can add users as project members so that they can access its resources.
From the Global view, open the project that you want to add members to.
From the main menu, select Members. Then click Add Member.
Search for the user or group that you want to add to the project.
If external authentication is configured:
Rancher returns users from your external authentication source as you type.
A drop-down allows you to add groups instead of individual users. The dropdown only lists groups that you, the logged in user, are included in.
Note: If you are logged in as a local user, external users do not display in your search results.
Assign the user or group Project roles.
What are Project Roles?
Notes: Users assigned the Owner or Member role for a project automatically inherit the namespace creation role. However, this role is a Kubernetes ClusterRole, meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the Owner or Member role for a project can create namespaces in other projects they’re assigned to, even with only the Read Only role assigned. For Custom roles, you can modify the list of individual roles available for assignment. To add roles to the list, Add a Custom Role. To remove roles from the list, Lock/Unlock Roles.
Notes:
Users assigned the Owner or Member role for a project automatically inherit the namespace creation role. However, this role is a Kubernetes ClusterRole, meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the Owner or Member role for a project can create namespaces in other projects they’re assigned to, even with only the Read Only role assigned.
Owner
Member
namespace creation
Read Only
For Custom roles, you can modify the list of individual roles available for assignment.
Custom
Result: The chosen users are added to the project.
Note: These cluster options are only available for clusters that Rancher has launched Kubernetes.
You can always assign a PSP to an existing project if you didn’t assign one during creation.
Prerequisites: Create a Pod Security Policy within Rancher. Before you can assign a default PSP to an existing project, you must have a PSP available for assignment. For instruction, see Creating Pod Security Policies. Assign a default Pod Security Policy to the project’s cluster. You can’t assign a PSP to a project until one is already applied to the cluster. For more information, see Existing Cluster: Adding a Pod Security Policy.
Prerequisites:
From the Global view, find the cluster containing the project you want to apply a PSP to.
From the main menu, select Projects/Namespaces.
Find the project that you want to add a PSP to. From that project, select Vertical Ellipsis (…) > Edit.
From the Pod Security Policy drop-down, select the PSP you want to apply to the project. Assigning a PSP to a project will:
Click Save.
Result: The PSP is applied to the project and any namespaces added to the project.
Note: Any workloads that are already running in a cluster or project before a PSP is assigned will not be checked if it complies with the PSP. Workloads would need to be cloned or upgraded to see if they pass the PSP.
Available as of v2.0.1
Edit resource quotas when:
From the Global view, open the cluster containing the project to which you want to apply a resource quota.
Find the project that you want to add a resource quota to. From that project, select Ellipsis (…) > Edit.
Expand Resource Quotas and click Add Quota. Alternatively, you can edit existing quotas.
Select a Resource Type.
Enter values for the Project Limit and the Namespace Default Limit.
Optional: Add more quotas.
Click Create.
Result: The resource quota is applied to your project and namespaces. When you add more namespaces in the future, Rancher validates that the project can accommodate the namespace. If the project can’t allocate the resources, Rancher won’t let you save your changes.
Available as of v2.2.0
Edit container default resource limit when:
From the Global view, open the cluster containing the project to which you want to edit the container default resource limit.
Find the project that you want to edit the container default resource limit. From that project, select Ellipsis (…) > Edit.
Expand Container Default Resource Limit and edit the values.