8. Enable Developer Self-Service Flashcards

1
Q
  1. Configure cluster resource quotas
A

You can choose one of the following option to create resourceQuota:

Navigate to Administration → ResourceQuotas to create a resource quota from the web console
or use oc create resourcequota commands
use a manifest
Quota
oc get resourcequota
oc get quota

oc create resourcequota example –hard=count/deployment=1
oc create quota example2 –hard=requests.cpu=2
Quota Template
apiVersion: v1
kind: ResourceQuota
metadata:
name: memory
namespace: example
spec:
hard:
limits.memory: 4Gi
requests.memory: 2Gi
scopes: {}
scopeSelector: {}
Configure cluster resource quotas
For example, a group of developers manages many namespaces. Namespace quotas can limit RAM usage per namespace.
However, a cluster administrator cannot limit total RAM usage by all workloads that the group of developers manages.

OpenShift introduces cluster resource quotas for those scenarios.

Cluster resource quotas follow a similar structure to namespace resource quotas. However, cluster resource quotas use selectors to choose which namespaces the quota applies to.

Quota
apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
name: example
spec:
quota: # contains the quota definition. This key follows the structure of the ResourceQuota specification.
hard:
limits.cpu:
selector: # defines which namespaces the cluster resource quota applies to.
annotations: {}
labels:
matchLabels:
kubernetes.io/metadata.name: example
You can also use oc create clusterresourcequota command to create clusterresourcequota

clusterresourcequota
# create a resourcequota that will be applied to all projects/namespaces with the label group=dev

oc create clusterresourcequota example –project-label-selector=group=dev –hard=requests.cpu=10
clusterresourcequota/example created

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Configure project quotas
A

You can choose one of the following option to create resourceQuota:

Navigate to Administration → ResourceQuotas to create a resource quota from the web console
or use oc create resourcequota commands
use a manifest
Quota
oc get resourcequota
oc get quota

oc create resourcequota example –hard=count/deployment=1
oc create quota example2 –hard=requests.cpu=2
Quota Template
apiVersion: v1
kind: ResourceQuota
metadata:
name: memory
namespace: example
spec:
hard:
limits.memory: 4Gi
requests.memory: 2Gi
scopes: {}
scopeSelector: {}

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Configure project resource requirements
A

See resoureQuota and clusterresoureQuota sections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Configure project limit ranges
A

Cluster administrators can set resource quotas on namespaces. Namespace quotas limit the resources that workloads in a namespace use. Quotas address resource management at the cluster level.

Kubernetes users might have further resource management needs within a namespace.

Users might accidentally create workloads that consume too much of the namespace quota. These unwanted workloads might prevent other workloads from running.

Users might forget to set workload limits and requests, or might find it time-consuming to configure limits and requests. When a namespace has a quota, creating workloads fails if the workload does not define values for the limits or requests in the quota.

Kubernetes introduces limit ranges to help with these issues. Limit ranges are namespaced objects that define limits for workloads within the namespace.

LimitRange
apiVersion: v1
kind: LimitRange
metadata:
name: example
namespace: example
spec:
limits:
- default:
cpu: 500m
memory: 512Mi
defaultRequest:
cpu: 250m
memory: 256Mi
max:
cpu: “1”
memory: 1Gi
min:
cpu: 125m
memory: 128Mi
type: Container
More information on LimitRange in the documentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Configure project templates
A

OpenShift introduces projects to improve security and users’ experience of working with namespaces. The OpenShift API server adds the Project resource type.

By using a template, cluster administrators can customize namespace creation. For example, cluster administrators can ensure that new namespaces have specific permissions, resource quotas, or limit ranges.

Planning a Project Template

You can add any namespaced resource to the project template. For example, you can add resources of the following types:

Roles and role bindings: to grant specific permissions in new projects.
Resource quotas and limit ranges: to ensure that all new projects have resource limits.
If you add resource quotas, then creating workloads requires explicit resource limit declarations. Consider adding limit ranges to reduce the effort for workload creation.
Network policies: to enforce organizational network isolation requirements.
Creating a Project Template

The oc adm create-bootstrap-project-template command prints a template that you can use to create your own project template.

This template has the same behavior as the default project creation in OpenShift. The template adds a role binding that grants the admin cluster role over the new namespace to the user who requests the project.

Project templates use the same template feature as the oc new-app command.

Bootstrap Template
oc adm create-bootstrap-project-template -o yaml > output.yml

apiVersion: template.openshift.io/v1
kind: Template
metadata:
  creationTimestamp: null
  name: project-request
objects:
- apiVersion: project.openshift.io/v1
  kind: Project
  metadata:
    annotations:
      openshift.io/description: ${PROJECT_DESCRIPTION}
      openshift.io/display-name: ${PROJECT_DISPLAYNAME}
      openshift.io/requester: ${PROJECT_REQUESTING_USER}
    creationTimestamp: null
    name: ${PROJECT_NAME}
  spec: {}
  status: {}
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    creationTimestamp: null
    name: admin
    namespace: ${PROJECT_NAME}
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: admin
  subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: ${PROJECT_ADMIN_USER}
parameters:
- name: PROJECT_NAME
- name: PROJECT_DISPLAYNAME
- name: PROJECT_DESCRIPTION
- name: PROJECT_ADMIN_USER
- name: PROJECT_REQUESTING_USER You can modify the object list in output.yml to add the required resources for new namespaces.

Then, use the oc createcommand to create the template resource in the openshift-config namespace:

Create template
oc create -f output.yml -n openshift-config
template.template.openshift.io/project-request created
Apply the new created template as the default one

Edit the reource projects.config.openshift.io/cluster

Project
# edit cluster config
oc edit projects.config.openshift.io cluster
# add in the spec bloc this content:
# projectRequestTemplate:
# name: project-request

apiVersion: config.openshift.io/v1
kind: Project
metadata:
…output omitted…
name: cluster
…output omitted…
spec:
projectRequestTemplate: ## here
name: project-request ## and there

# to retrieve projectRequestTemplate key
oc get projects. # then keyboard tab to get projects.config.openshift.io among the list
oc explain projects.config.openshift.io.spec

# notice the restart of api-server pods
oc get pod -n openshift-apiserver -w

How well did you know this?
1
Not at all
2
3
4
5
Perfectly