Provides a `Project` CRD and controller for k8s to help with organising resources
projects-operator extends kubernetes with a Project CRD and corresponding
controller. Projects are intended to provide isolation of kubernetes
resources on a single kubernetes cluster. A Project is essentially a
kubernetes namespace along with a corresponding set of RBAC rules.
To begin contributing, please read the contributing doc.
projects-operator is currently deployed using k14s.
You must first create a ClusterRole that contains the RBAC
rules you wish to be applied to each created Project. For example:
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: my-clusterrole-with-rbac-for-each-projectrules:- apiGroups:- example.k8s.ioresources:- mycustomresourceverbs:- "*"
Then you will need to build and push the projects-operator image to a registry.
$ docker build -t <REGISTRY_HOSTNAME>/<REGISTRY_PROJECT>/projects-operator .$ docker push <REGISTRY_HOSTNAME>/<REGISTRY_PROJECT>/projects-operator# For example, docker build -t gcr.io/team-a/projects-operator .
Then finally you can run the /scripts/kapp-deploy script
to deploy projects-operator.
export INSTANCE=<UNIQUE STRING TO IDENTIFY THIS DEPLOYMENT>export REGISTRY_HOSTNAME=<REGISTRY_HOSTNAME> # e.g. "gcr.io", "my.private.harbor.com", etc.export REGISTRY_PROJECT=<REGISTRY_PROJECT> # e.g. "team-a", "dev", etc.export REGISTRY_USERNAME=<REGISTRY_PASSWORD>export REGISTRY_PASSWORD=<REGISTRY_PASSWORD>export CLUSTER_ROLE_REF=my-clusterrole-with-rbac-for-each-project$ ./scripts/kapp-deploy
Apply projects yaml with a project name and a list of users/groups/serviceaccounts who have access, for example:
apiVersion: projects.vmware.com/v1alpha1kind: Projectmetadata:name: project-samplespec:access:- kind: Username: alice- kind: ServiceAccountname: some-robotnamespace: some-namespace- kind: Groupname: ldap-experts
kapp -n <NAMESPACE> delete -a projects-operator
projects-operator makes use of three webhooks to provide further functionality, as follows: