Projects and Kubernetes Namespaces with Rancher
A namespace is a Kubernetes concept that allows a virtual cluster within a cluster, which is useful for dividing the cluster into separate "virtual clusters" that each have their own access control and resource quotas.
A project is a group of namespaces, and it is a concept introduced by Rancher. Projects allow you to manage multiple namespaces as a group and perform Kubernetes operations in them. You can use projects to support multi-tenancy, so that a team can access a project within a cluster without having access to other projects in the same cluster.
As of Rancher v2.6, projects are de-emphasized on the UI because it is no longer required to create any Kubernetes resources within a project scope. However, resources such as Secrets can still be created in a project scope if the legacy feature flag is enabled.
This section describes how projects and namespaces work with Rancher.
A namespace is a concept introduced by Kubernetes. According to the official Kubernetes documentation on namespaces,
Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. [...] Namespaces are intended for use in environments with many users spread across multiple teams, or projects. For clusters with a few to tens of users, you should not need to create or think about namespaces at all.
Namespaces provide the following functionality:
- Providing a scope for names: Names of resources need to be unique within a namespace, but not across namespaces. Namespaces can not be nested inside one another and each Kubernetes resource can only be in one namespace.
- Resource quotas: Namespaces provide a way to divide cluster resources between multiple users.
You can assign resources at the project level so that each namespace in the project can use them. You can also bypass this inheritance by assigning resources explicitly to a namespace.
You can assign the following resources directly to namespaces:
- Load Balancers/Ingress
- Service Discovery Records
- Persistent Volume Claims
To manage permissions in a vanilla Kubernetes cluster, cluster admins configure role-based access policies for each namespace. With Rancher, user permissions are assigned on the project level instead, and permissions are automatically inherited by any namespace owned by the particular project.
For more information on creating and moving namespaces, see Namespaces.
Role-based access control issues with namespaces and kubectl
Because projects are a concept introduced by Rancher, kubectl does not have the capability to restrict the creation of namespaces to a project the creator has access to.
This means that when standard users with project-scoped permissions create a namespaces with
kubectl, it may be unusable because
kubectl doesn't require the new namespace to be scoped within a certain project.
If your permissions are restricted to the project level, it is better to create a namespace through Rancher to ensure that you will have permission to access the namespace.
If a standard user is a project owner, the user will be able to create namespaces within that project. The Rancher UI will prevent that user from creating namespaces outside the scope of the projects they have access to.
In terms of hierarchy:
- Clusters contain projects
- Projects contain namespaces
You can use projects to support multi-tenancy, so that a team can access a project within a cluster without having access to other projects in the same cluster.
In the base version of Kubernetes, features like role-based access rights or cluster resources are assigned to individual namespaces. A project allows you to save time by giving an individual or a team access to multiple namespaces simultaneously.
You can use projects to perform actions such as:
- Assign users to a group of namespaces (i.e., project membership).
- Assign users specific roles in a project. A role can be owner, member, read-only, or custom.
- Assign resources to the project.
- Assign Pod Security Policies.
When you create a cluster, two projects are automatically created within it:
The Cluster's Default Project
When you provision a cluster with Rancher, it automatically creates a
default project for the cluster. This is a project you can use to get started with your cluster, but you can always delete it and replace it with projects that have more descriptive names.
If you don't have a need for more than the default namespace, you also do not need more than the Default project in Rancher.
If you require another level of organization beyond the Default project, you can create more projects in Rancher to isolate namespaces, applications and resources.
The System Project
When troubleshooting, you can view the
system project to check if important namespaces in the Kubernetes system are working properly. This easily accessible project saves you from troubleshooting individual system namespace containers.
To open it, open the cluster view and click Cluster > Projects/Namespaces. This view shows all of the namespaces in the
- Is automatically created when you provision a cluster.
- Lists all namespaces that exist in
v3/settings/system-namespaces, if they exist.
- Allows you to add more namespaces or move its namespaces to other projects.
- Cannot be deleted because it's required for cluster operations.
In RKE clusters where the project network isolation option is enabled, the
system project overrides the project network isolation option so that it can communicate with other projects, collect logs, and check health.
Standard users are only authorized for project access in two situations:
- An administrator, cluster owner or cluster member explicitly adds the standard user to the project's Members tab.
- Standard users can access projects that they create themselves.
Pod Security Policies
Rancher extends Kubernetes to allow the application of Pod Security Policies at the project level in addition to the cluster level. However, as a best practice, we recommend applying Pod Security Policies at the cluster level.
This section describes how to create a new project with a name and with optional pod security policy, members, and resource quotas.
- Name a new project.
- Optional: Select a pod security policy.
- Recommended: Add project members.
- Optional: Add resource quotas.
1. Name a New Project
- In the upper left corner, click ☰ > Cluster Management.
- On the Clusters page, go to the cluster you want to project in and click Explore.
- Click Cluster > Projects/Namespaces.
- Click Create Project.
- Enter a Project Name.
2. Optional: Select a Pod Security Policy
This option is only available if you've already created a Pod Security Policy. For instruction, see Creating Pod Security Policies.
Assigning a PSP to a project will:
- Override the cluster's default PSP.
- Apply the PSP to the project.
- Apply the PSP to any namespaces you add to the project later.
3. Recommended: Add Project Members
Use the Members section to provide other users with project access and roles.
By default, your user is added as the project
Users assigned the
Memberrole for a project automatically inherit the
namespace creationrole. However, this role is a Kubernetes ClusterRole, meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the
Memberrole for a project can create namespaces in other projects they're assigned to, even with only the
Read Onlyrole assigned.
By default, the Rancher role of
project-memberinherits from the
Kubernetes-editrole, and the
project-ownerrole inherits from the
Kubernetes-adminrole. As such, both
project-ownerroles will allow for namespace management, including the ability to create and delete namespaces.
Customto create a custom role on the fly: Custom Project Roles.
To add members:
- In the Members tab, click Add.
- From the Select Member field, search for a user or group that you want to assign project access. Note: You can only search for groups if external authentication is enabled.
- In the Project Permissions section, choose a role. For more information, refer to the documentation on project roles.
4. Optional: Add Resource Quotas
Resource quotas limit the resources that a project (and its namespaces) can consume. For more information, see Resource Quotas.
To add a resource quota,
- In the Resource Quotas tab, click Add Resource.
- Select a Resource Type. For more information, see Resource Quotas..
- Enter values for the Project Limit and the Namespace Default Limit.
- Optional: Specify Container Default Resource Limit, which will be applied to every container started in the project. The parameter is recommended if you have CPU or Memory limits set by the Resource Quota. It can be overridden on per an individual namespace or a container level. For more information, see Container Default Resource Limit
- Click Create.
Result: Your project is created. You can view it from the cluster's Projects/Namespaces view.
|Project Limit||The overall resource limit for the project.|
|Namespace Default Limit||The default resource limit available for each namespace. This limit is propagated to each namespace in the project when created. The combined limit of all project namespaces shouldn't exceed the project limit.|