Adding multitenant project template

kevchu3 · Oct 29, 2020 · 326f542 · 326f542
1 parent b4e9fbe
commit 326f542
Show file tree

Hide file tree

Showing 3 changed files with 136 additions and 6 deletions.
diff --git a/day-two.md b/day-two.md
@@ -66,16 +66,26 @@ Refer to these instructions to configure chrony time service
 Refer to these instructions to configure kubelet logging verbosity
 * [Kubelet logging verbosity]
 
-### 6. Configure multitenant network policy
+### 6. Configure project template
+
+Refer to the documentation on how to configure a [project template].
+
+#### a. Multitenant network policy
 
 Using Network Policy, by default, all Pods in a project are accessible from other Pods and network endpoints.  Refer to the documentation for information on [configuring multitenant network policy].  Refer to the documentation for steps to [configure this policy for new projects by default].
 
-An [example project template for multitenant network policy] is provided and can be installed with:
+An example with [multitenant network policy] is provided and can be installed with:
 ```
-oc create -f template/multitenant-project-template.yaml -n openshift-config
+oc create -f template/multitenant-network-policy.yaml -n openshift-config
 oc patch project.config.openshift.io/cluster --type merge -p '{"spec":{"projectRequestTemplate":{"name":"multitenant-project-template"}}}'
 ```
 
+#### b. Resource quotas and limit ranges
+
+Refer to the documentation on how to configure [resource quotas] and [limit ranges].
+
+An example of an [all-in-one project template] with NetworkPolicy, ResourceQuotas, and LimitRanges is provided.
+
 ### 7. [Restricted Network] - Configure support tools
 
 Refer to these instructions to configure support tools for a restricted network
@@ -99,7 +109,11 @@ Kevin Chung
 [automatically pruning images]: https://docs.openshift.com/container-platform/latest/applications/pruning-objects.html#pruning-images_pruning-objects
 [Chrony time service]: ./machineconfig/chrony/
 [Kubelet logging verbosity]: ./machineconfig/kubelet/
+[project template]: https://docs.openshift.com/container-platform/latest/applications/projects/configuring-project-creation.html
 [configuring multitenant network policy]: https://docs.openshift.com/container-platform/latest/networking/network_policy/multitenant-network-policy.html
 [configure this policy for new projects by default]: https://docs.openshift.com/container-platform/latest/networking/network_policy/default-network-policy.html
-[example project template for multitenant network policy]: ./template/multitenant-project-template.yaml
+[multitenant network policy]: ./template/multitenant-network-policy.yaml
+[resource quotas]: https://docs.openshift.com/container-platform/latest/applications/quotas/quotas-setting-per-project.html
+[limit ranges]: https://docs.openshift.com/container-platform/latest/nodes/clusters/nodes-cluster-limit-ranges.html
+[all-in-one project template]: ./template/multitenant-project-template.yaml
 [Support tools]: ./imagecontentsourcepolicy/support-tools/
diff --git a/template/multitenant-network-policy.yaml b/template/multitenant-network-policy.yaml
@@ -0,0 +1,74 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  creationTimestamp: null
+  name: multitenant-project-template
+objects:
+- apiVersion: project.openshift.io/v1
+  kind: Project
+  metadata:
+    annotations:
+      openshift.io/description: ${PROJECT_DESCRIPTION}
+      openshift.io/display-name: ${PROJECT_DISPLAYNAME}
+      openshift.io/requester: ${PROJECT_REQUESTING_USER}
+    creationTimestamp: null
+    name: ${PROJECT_NAME}
+  spec: {}
+  status: {}
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    creationTimestamp: null
+    name: admin
+    namespace: ${PROJECT_NAME}
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: admin
+  subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: ${PROJECT_ADMIN_USER}
+# Set multitenant network policy
+# https://docs.openshift.com/container-platform/4.6/networking/network_policy/default-network-policy.html
+- apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: allow-from-same-namespace
+  spec:
+    ingress:
+    - from:
+      - podSelector: {}
+    podSelector: null
+- apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: allow-from-openshift-ingress
+  spec:
+    ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            network.openshift.io/policy-group: ingress
+    podSelector: {}
+    policyTypes:
+    - Ingress
+- apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: allow-from-openshift-monitoring
+  spec:
+    ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            network.openshift.io/policy-group: monitoring
+    podSelector: {}
+    policyTypes:
+    - Ingress
+parameters:
+- name: PROJECT_NAME
+- name: PROJECT_DISPLAYNAME
+- name: PROJECT_DESCRIPTION
+- name: PROJECT_ADMIN_USER
+- name: PROJECT_REQUESTING_USER
diff --git a/template/multitenant-project-template.yaml b/template/multitenant-project-template.yaml
@@ -3,7 +3,6 @@ kind: Template
 metadata:
   creationTimestamp: null
   name: multitenant-project-template
-  namespace: openshift-config
 objects:
 - apiVersion: project.openshift.io/v1
   kind: Project
@@ -30,6 +29,8 @@ objects:
   - apiGroup: rbac.authorization.k8s.io
     kind: User
     name: ${PROJECT_ADMIN_USER}
+# Set multitenant network policy
+# https://docs.openshift.com/container-platform/4.6/networking/network_policy/default-network-policy.html
 - apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
@@ -38,7 +39,7 @@ objects:
     ingress:
     - from:
       - podSelector: {}
-    podSelector:
+    podSelector: null
 - apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
@@ -65,6 +66,47 @@ objects:
     podSelector: {}
     policyTypes:
     - Ingress
+# Set resource quotas per project
+# https://docs.openshift.com/container-platform/4.6/applications/quotas/quotas-setting-per-project.html
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: compute
+spec:
+  hard:
+    requests.cpu: 4
+    requests.memory: 24Gi
+    limits.memory: 24Gi
+# Set limit range so that pods fit within quota
+# https://docs.openshift.com/container-platform/latest/nodes/clusters/nodes-cluster-limit-ranges.html
+- apiVersion: v1
+  kind: "LimitRange"
+  metadata:
+    name: "compute"
+  spec:
+    limits:
+    - max:
+        cpu: "4"
+        memory: 8Gi
+      min:
+        cpu: 50m
+        memory: 4Mi
+      type: Pod
+    - default:
+        cpu: "1"
+        memory: 1Gi
+      defaultRequest:
+        cpu: 50m
+        memory: 1Gi
+      max:
+        cpu: "4"
+        memory: 8Gi
+      maxLimitRequestRatio:
+        cpu: "50"
+      min:
+        cpu: 50m
+        memory: 4Mi
+      type: Container
 parameters:
 - name: PROJECT_NAME
 - name: PROJECT_DISPLAYNAME