Setting up projects (namespaces) on Red Hat OpenShift Container Platform

Important: IBM® Cloud Pak for Data Version 4.5 will reach end of support (EOS) on 31 July, 2025. For more information, see the Discontinuance of service announcement for IBM Cloud Pak for Data Version 4.X.

Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.5 reaches end of support. For more information, see Upgrading IBM Software Hub in the IBM Software Hub Version 5.1 documentation.

Before you install IBM Cloud Pak for Data on Red Hat® OpenShift® Container Platform, an administrator must create and configure the OpenShift projects (Kubernetes namespaces) where you plan to deploy the Cloud Pak for Data software.

Installation phase: Setting up a client workstation; Collecting required information; Preparing your cluster; Installing the Cloud Pak for Data platform and services

Who needs to complete this task?: A cluster administrator, or a user with permissions to create projects, must complete this task.
When do you need to complete this task?: You must complete this task before you install Cloud Pak for Data for the first time.
You might need to complete this task if you decide to install additional instances of Cloud Pak for Data on your cluster or decide to deploy a service in a tethered namespace.

Before you begin

Review the guidance in Supported project (namespace) configurations to understand the relationship between the projects (namespaces) and the security considerations that you need to take into account.

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

Procedure

To create the necessary projects for your environment:

Create the appropriate projects for your environment.

Express installations

Project to create Command

Project to create	Command
`ibm-common-services`	You can skip this step if IBM Cloud Pak® foundational services is already installed on the cluster. `ibm-common-services` is the default and recommended name. If you sourced the installation environment variables, the value from the `PROJECT_CPFS_OPS` variable is used. If you choose to use a different project for the IBM Cloud Pak foundational services operators, you must create `configmap`. For details, see Installing IBM Cloud Pak foundational services in a custom namespace. `oc new-project ${PROJECT_CPFS_OPS}`
`cpd-instance`	Source the installation environment variables to ensure that the correct value for the `PROJECT_CPD_INSTANCE` variable is used. `oc new-project ${PROJECT_CPD_INSTANCE}` Remember: If you plan to install multiple instances of Cloud Pak for Data on the cluster, you must create a project for each instance.
`cpd-instance-tether`	You can skip this step if you don't plan to deploy any service instances or workloads in a tethered project. Source the installation environment variables to ensure that the correct value for the `PROJECT_TETHERED` variable is used. `oc new-project ${PROJECT_TETHERED}` Important: Many services support only one service instance in a given project. So if you want to create multiple instances of a service, you must deploy each instance of the service in a different project. You can achieve this by creating multiple tethered projects and creating one instance of the service in each tethered project. You can co-locate service instances and workloads for different services in the same tethered project, or you can create different tethered projects if one service requires or workload requires more privileges. You can use different tethered projects to give each service instance or workload the exist privileges it needs to align with the Principle of Least Privileges.

ibm-common-services

You can skip this step if IBM Cloud Pak® foundational services is already installed on the cluster.

ibm-common-services is the default and recommended name. If you sourced the installation environment variables, the value from the PROJECT_CPFS_OPS variable is used.

If you choose to use a different project for the IBM Cloud Pak foundational services operators, you must create configmap. For details, see Installing IBM Cloud Pak foundational services in a custom namespace.

oc new-project ${PROJECT_CPFS_OPS}

cpd-instance

Source the installation environment variables to ensure that the correct value for the PROJECT_CPD_INSTANCE variable is used.

oc new-project ${PROJECT_CPD_INSTANCE}

Remember: If you plan to install multiple instances of Cloud Pak for Data on the cluster, you must create a project for each instance.

cpd-instance-tether

You can skip this step if you don't plan to deploy any service instances or workloads in a tethered project.

Source the installation environment variables to ensure that the correct value for the PROJECT_TETHERED variable is used.

oc new-project ${PROJECT_TETHERED}

Important:

Many services support only one service instance in a given project. So if you want to create multiple instances of a service, you must deploy each instance of the service in a different project. You can achieve this by creating multiple tethered projects and creating one instance of the service in each tethered project.

You can co-locate service instances and workloads for different services in the same tethered project, or you can create different tethered projects if one service requires or workload requires more privileges. You can use different tethered projects to give each service instance or workload the exist privileges it needs to align with the Principle of Least Privileges.

Specialized installations

Project to create	Command
`ibm-common-services`	You can skip this step if IBM Cloud Pak foundational services is already installed on the cluster. `ibm-common-services` is the default and recommended name. If you sourced the installation environment variables, the value from the `PROJECT_CPFS_OPS` variable is used. If you choose to use a different project for the IBM Cloud Pak foundational services operators, you must create `configmap`. For details, see Installing IBM Cloud Pak foundational services in a custom namespace. `oc new-project ${PROJECT_CPFS_OPS}`
`cpd-operators`	`cpd-operators` is the recommended name. If you sourced the installation environment variables, the value from the `PROJECT_CPD_OPS` variable is used. `oc new-project ${PROJECT_CPD_OPS}`
`cpd-instance`	Source the installation environment variables to ensure that the correct value for the `PROJECT_CPD_INSTANCE` variable is used. `oc new-project ${PROJECT_CPD_INSTANCE}` Remember: If you plan to install multiple instances of Cloud Pak for Data on the cluster, you must create a project for each instance.
`cpd-instance-tether`	You can skip this step if you don't plan to deploy any service instances or workloads in a tethered project. Source the installation environment variables to ensure that the correct value for the `PROJECT_TETHERED` variable is used. `oc new-project ${PROJECT_TETHERED}` Important: Many services support only one service instance in a given project. So if you want to create multiple instances of a service, you must deploy each instance of the service in a different project. You can achieve this by creating multiple tethered projects and creating one instance of the service in each tethered project. You can co-locate service instances and workloads for different services in the same tethered project, or you can create different tethered projects if one service requires or workload requires more privileges. You can use different tethered projects to give each service instance or workload the exist privileges it needs to align with the Principle of Least Privileges.

Red Hat OpenShift Container Platform Version 4.6 only. If you plan to install one of the following services, you must label the project where their operators are installed:
- IBM Match 360 with Watson
- Watson Knowledge Catalog
To label the project, run the following command:
```
oc label namespace ${PROJECT_CPD_OPS} kubernetes.io/metadata.name=${PROJECT_CPD_OPS}
```
If you created a tethered project, you must tether ${PROJECT_TETHERED} to the project where the Cloud Pak for Data control plane is installed (${PROJECT_CPD_INSTANCE}):
1. Run the cpd-cli manage login-to-ocp command to log in to the cluster as a user with sufficient permissions to complete this task. For example:
```
cpd-cli manage login-to-ocp \
--username=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}
```
  Tip: The login-to-ocp command takes the same input as the oc login command. Run oc login --help for details.
2. Tether the ${PROJECT_TETHERED} to the project where the Cloud Pak for Data control plane is installed:
```
cpd-cli manage setup-tethered-ns \
--cpd_instance_ns=${PROJECT_CPD_INSTANCE} \
--tethered_instance_ns=${PROJECT_TETHERED}
```
  If you created multiple tethered projects, export the ${PROJECT_TETHERED} environment variable with the correct project name and repeat this step to tether each project to the ${PROJECT_CPD_INSTANCE} project.
  After you tether a project to the project where the Cloud Pak for Data control plane is installed, you can deploy service instances to the tethered project or run workloads in the tethered project. For information about which services support this, see Multitenancy support.

What to do next

Now that you've set up the required projects, you are ready to complete Creating custom security context constraints for services.