In OpenShift, a project is a Kubernetes namespace with additional annotations and the central logical container by which access to resources for regular users is managed. A project allows a community of users to organize and manage their content in isolation from other communities. Users must be given access to projects by administrators, or if allowed to create projects,
automatically have access to their own projects.
Cluster administrators can create projects and delegate administrative rights for the project to any member of the user community. Cluster administrators can also allow developers to create their own projects . Developers and administrators can interact with projects using the CLI or the web console.
To create a new project execute
oc new-project a-new-project \ --description="This is a new project to demonstrate OpenShift v3" \ --display-name="A new Project"
To grant a user access to a project execute
oc adm policy add-role-to-user <role> <username> -n <project>
Example: to add a user firstname.lastname@example.org with role admin to project a-new-project execute
oc adm policy add-role-to-user admin email@example.com -n a-new-project
Refer also to Openshift documentation to get a more detailled view into “Managing Authorization Policies”.
By default every authenticated user has the privilege to create new projects. Therefore every authenticated user is bound to role self-provisioner. The privilege to create projects can be removed.
To remove role self-provisioner execute
oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
The above command removes the create project privilege from all users but the cluster admin.
oc adm policy add-cluster-role-to-user self-provisioner <any-user>
The above command adds the create project privilege to a specified user.