Skip to content

Project resource on garden cluster

Projects

The Project resource is used for data isolation between individual Gardener consumers. Each team (or customer) has its own Project to manage its own Shoot clusters. Each Project is backed by a Kubernetes Namespace that contains the actual related Kubernetes resources, like Secrets or Shoots. The Project resource supports RBAC within the namespace with predefined roles.

Project and Shoot name length limitation with an Ingress controller

If you plan to use an Ingress controller — the OSC provided one or your own — you need to take into account the length limit for the Project and Shoot names.

Secrets

To be able to deploy Shoot clusters, a Secret with the credentials to the underlying Cloud infrastructure needs to be created. It can be created using the Gardener Dashboard in the form Infrastructure secrets under the SECRETS menu item. The credentials will be provided by OSC.

During the creation of a Shoot cluster, the Secret needs to be selected. This can be done using the Shoot creation form, using the drop-down "Secret" in the section "Infrastructure details". In the YAML manifest the field spec.secretBindingName will contain this information.

How to create Secret

  1. On left side panel click on SECRETS and then click on "+" sign Create_secret
  2. Fill Secret Data with values provided by OSC Secret

User management

User management within Projects is done via .spec.members[] field in Project resource. Users can be assigned either during Project creation or added additionally.

Project members

The list of members (.spec.members[]) contains all the people that are associated with the project in any way. Each project member must have at least one role, additional roles can be added to .spec.members[].roles[].

The following roles are defined:

admin

This allows to fully manage resources inside the project (e.g., Secrets, Shoots, ConfigMaps). Mind that the admin role has read only access to service accounts.

serviceaccountmanager

This allows to fully manage service accounts and their request tokens in the Project namespace. The permissions of the created service accounts are instead managed by the admin role.

uam

This allows to add/modify/remove human users or groups to/from the project member list.

viewer

This allows to read all resources inside the project except secrets.

owner

This combines the admin, uam, and serviceaccountmanager roles.

Adding users during Project creation

Apply the following manifest against the Garden cluster with kubectl apply -f <filename>.yaml

apiVersion: core.gardener.cloud/v1beta1
kind: Project
metadata:
  name: dev
spec:
  namespace: garden-dev
  description: "This is my first project" # optional
  purpose: "Experimenting with Gardener" # optional
  owner:
    apiGroup: rbac.authorization.k8s.io
    kind: User
    name: oidc:john.doe
  members:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: oidc:adam.doe
      role: admin
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: oidc:gardener:gardener-developers
      role: admin

Adding users after Project creation

Using kubectl

Use kubectl edit project <projectName> -n garden-<projectName> and add the new users and groups to .spec.members[]

spec:
  ...
  members:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: oidc:john.doe
    role: admin
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: oidc:gardener:gardener-developers
    role: admin

Using the Gardener dashboard

Login to gardener dashboard and then select the members option from the left sidebar.

Dashboard_members

You will be redirected to the members administration section. All users and service accounts are displayed with their Project assignment and respective roles. Within this section, you can manage both users and service accounts within the Project.

Dashboard_members_section

Click on the plus (+) icon in the respective section to add a new user or service account to the project.

Dashboard_add_users_sa

Click on the pencil icon to edit a user or service account within the project.

Dashboard_manage_users_sa

Once you click on the pencil icon, you will be redirected to the management section, where you can assign or remove roles from users or service accounts. You can assign multiple roles to users or service accounts, based on the specific permissions they should have within the project.

Dashboard_roles

RBAC within Projects

The project controller inside the Gardener Controller Manager is managing RBAC resources that grant the described privileges to the respective members.

There are three central ClusterRoles that grant the permissions for namespaced resources (e.g., Secrets, Shoots, ServiceAccounts):

  • gardener.cloud:system:project-member
  • gardener.cloud:system:project-viewer
  • gardener.cloud:system:project-serviceaccountmanager

Project members get bound to these ClusterRoles (and thus receive the permissions defined by the ClusterRole) if a RoleBinding object is created for them in the namespace the project.

There are also project-specific ClusterRoles granting permissions for cluster-scoped resources, e.g., to Namespaces or to the Project itself.

For each role, the following ClusterRoles, ClusterRoleBindings, and RoleBindings are created:

Role (within Project) ClusterRole ClusterRoleBinding RoleBinding
admin gardener.cloud:system:project-member:<projectName> gardener.cloud:system:project-member:<projectName> gardener.cloud:system:project-member
serviceaccountmanager gardener.cloud:system:project-serviceaccountmanager
uam gardener.cloud:system:project-uam:<projectName> gardener.cloud:system:project-uam:<projectName>
viewer gardener.cloud:system:project-viewer:<projectName> gardener.cloud:system:project-viewer:<projectName> gardener.cloud:system:project-viewer
owner gardener.cloud:system:project:<projectName> gardener.cloud:system:project:<projectName>