Setting up projects (namespaces) on Red Hat OpenShift Container Platform

Before you install IBM® Cloud Pak for Data on Red Hat® OpenShift® Container Platform, a cluster administrator should create and configure the OpenShift projects (Kubernetes namespaces) where you plan to deploy the Cloud Pak for Data software.

Permissions you need for this task: You must be a cluster administrator.
When you need to complete this task: You must complete this task the first time you install Cloud Pak for Data.
You might need to complete this task if you decide to install additional instances of Cloud Pak for Data on your cluster or decide to deploy a service in a tethered namespace.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables for your installation. For instructions, see Best practice: Setting up install variables.

Ensure that you run the environment variable script before you run the commands in this task.

About this task

For information on supported project configurations, see Operator installation architecture.

Use the following table to determine which projects (namespaces) you need to create.

Project	Description
Recommended project name `ibm-common-services` Related environment variable `PROJECT_CPFS_OPS`	Required for all installations. The project where IBM Cloud Pak® foundational services is installed. If IBM Cloud Pak foundational services is already installed on your cluster, identify the project where it is installed. If IBM Cloud Pak foundational services is not installed on your cluster, `ibm-common-services` is the recommended project name. If you want to install IBM Cloud Pak foundational services in a different project, you must create `configmap`. For details, see Installing IBM Cloud Pak foundational services in a custom namespace. (Using a different project is not recommended for typical installations.) Additional software that might be installed in this project Depending on the software that you plan to install and the installation method that you use, the following software might also be installed in the `ibm-common-services` project: The IBM Cloud Pak for Data scheduling service If you need to install the scheduling service, it is recommended that you install it in the same project as IBM Cloud Pak foundational services. The IBM Cloud Pak for Data platform operator If you decide to use the express installation method, the IBM Cloud Pak for Data platform operator will be installed in this project. IBM Cloud Pak for Data service operators If you decide to use the express installation method, the service operators will be installed in this project.
Recommended project name `cpd-operators` Related environment variable `PROJECT_CPD_OPS`	Required for specialized installations. `cpd-operators` is the recommended name. In a specialized installation, the IBM Cloud Pak foundational services operators are installed in the `ibm-common-services` project and the Cloud Pak for Data operators are installed in a separate project (typically `cpd-operators`). Each project has a dedicated: Operator group, which specifies the `OwnNamespace` installation mode. `NamespaceScope Operator`, which allows the operators in the project to manage operators and service workloads in specific projects. In this way, you can specify different settings for the IBM Cloud Pak foundational services and for the Cloud Pak for Data operators.
Sample project name `cpd-instance` Related environment variable `PROJECT_CPD_INSTANCE`	At least one project is required for all installations. The project where the Cloud Pak for Data control plane is installed. (The Cloud Pak for Data control plane is installed in a separate project from the operators.) If you plan to install multiple install multiple instances of Cloud Pak for Data, you must create one project for each instance. `cpd-instance` is an example. You can use any project name. Most services are installed in the same project as the Cloud Pak for Data control plane. Review the documentation for the services that you plan to deploy to determine whether you must create any additional projects. For details, see Services.
Sample project name `cpd-instance-tether` Related environment variable `PROJECT_TETHERED`	Required or supported for some services. A few services can be installed in tethered projects. A tethered project is managed by the Cloud Pak for Data control plane but is otherwise isolated from Cloud Pak for Data and the other services that are installed in that project. `cpd-instance-tether` is an example. You can use any project name. For information on which services can be installed in tethered projects, see Multitenancy support. If you want to install a service in a tethered project, you must create the tethered project before you install the service.

After you decide which projects you need to create, review the following information to ensure that you understand the security considerations that you need to take into account:

Project	Security considerations
Recommended project name `ibm-common-services` Related environment variable `PROJECT_CPFS_OPS`	Operator group The `ibm-common-services` project uses the `OwnNamespace` installation mode. See the Procedure after this table for information on creating the operator group. Namespace scope The `ibm-common-services` project needs to be able to watch the project or projects where Cloud Pak for Data is deployed. IBM Cloud Pak foundational services includes the `IBM NamespaceScope Operator`, which allows the operators in the `ibm-common-services` project to manage operators and service workloads in specific projects. When you install Cloud Pak for Data or create a tethered namespace, you submit an operand request to grant permission to the operators in the `ibm-common-services` project to watch over the project (for example `cpd-instance` or `cpd-instance-tether`). By default, the `IBM NamespaceScope Operator` has cluster permissions so that role binding projections can be completed automatically. However, you can optionally remove the cluster permissions from the `IBM NamespaceScope Operator` and manually authorize the projections. For details, see Authorizing foundational services to perform operations on workloads in a namespace. SCCs Follow the guidance in Security context constraints (SCCs) in the IBM Cloud Pak foundational services documentation. Express installations only The Cloud Pak for Data control plane and most Cloud Pak for Data services use the `restricted` SCC. However, a few services require custom SCCs. For details, see Custom security context constraints for services.
Recommended project name `cpd-operators` Related environment variable `PROJECT_CPD_OPS`	Operator group The `cpd-operators` project uses the `OwnNamespace` installation mode. See the Procedure after this table for information on creating the operator group. Namespace scope The `cpd-operators` project needs to be able to watch the project or projects where Cloud Pak for Data is deployed. When you prepare your cluster, you create an operator subscription for the `IBM NamespaceScope Operator` in the `cpd-operators` project. The `IBM NamespaceScope Operator` allows the operators in the `cpd-operators` project to manage operators and service workloads in specific projects. When you install Cloud Pak for Data or create a tethered namespace, you submit an operand request to grant permission to the operators in the `cpd-operators` project to watch over the project (for example `cpd-instance` or `cpd-instance-tether`). By default, the `IBM NamespaceScope Operator` has cluster permissions so that role binding projections can be completed automatically. However, you can optionally remove the cluster permissions from the `IBM NamespaceScope Operator` and manually authorize the projections. For details, see Authorizing foundational services to perform operations on workloads in a namespace. SCCs The Cloud Pak for Data control plane and most Cloud Pak for Data services use the `restricted` SCC. However, a few services require custom SCCs. For details, see Custom security context constraints for services.
Sample project name `cpd-instance` Related environment variable `PROJECT_CPD_INSTANCE`	Operator group Not applicable. Namespace scope Not applicable. SCCs The Cloud Pak for Data control plane and most Cloud Pak for Data services use the `restricted` SCC. However, a few services require custom SCCs. For details, see Custom security context constraints for services.
Sample project name `cpd-instance-tether` Related environment variable `PROJECT_TETHERED`	Operator group Not applicable. Namespace scope Not applicable. SCCs The Cloud Pak for Data control plane and most Cloud Pak for Data services use the `restricted` SCC. However, a few services require custom SCCs. For details, see Custom security context constraints for services.

Procedure

To create the necessary projects for your environment:

Create the appropriate projects for your environment.

Important: Review the guidance in About this task to ensure that you create the appropriate projects for your environment.

Project name	Command to create
`ibm-common-services`	`oc new-project ${PROJECT_CPFS_OPS}`
`cpd-operators`	`oc new-project ${PROJECT_CPD_OPS}`
`cpd-instance`	`oc new-project ${PROJECT_CPD_INSTANCE}` `cpd-instance` is a sample name. If you don't want to use this name, replace `cpd-instance` with the appropriate name for your environment. You must also replace this name in subsequent commands.
`cpd-instance-tether`	`oc new-project ${PROJECT_TETHERED}` `cpd-instance-tether` is a sample name. If you don't want to use this name, replace `cpd-instance-tether` with the appropriate name for your environment. You must also replace this name in subsequent commands.

Create the appropriate operator groups based on the type of installation method you are using:
Express installation
1. If IBM Cloud Pak foundational services is not installed, create the operator group for the IBM Cloud Pak foundational services project.
```
cat <<EOF |oc apply -f -
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  name: operatorgroup
  namespace: ${PROJECT_CPFS_OPS}
spec:
  targetNamespaces:
  - ${PROJECT_CPFS_OPS}
EOF
```
What's next Now that you've set up the projects on your cluster, ensure that you have your API key. For details, see Obtaining your IBM entitlement API key.
Specialized installation
1. If IBM Cloud Pak foundational services is not installed, create the operator group for the IBM Cloud Pak foundational services project.
```
cat <<EOF |oc apply -f -
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  name: operatorgroup
  namespace: ${PROJECT_CPFS_OPS}
spec:
  targetNamespaces:
  - ${PROJECT_CPFS_OPS}
EOF
```
2. Create the operator group for the IBM Cloud Pak for Data platform operator project. The following example uses the recommended project name (cpd-operators):
```
cat <<EOF |oc apply -f -
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  name: operatorgroup
  namespace: ${PROJECT_CPD_OPS}
spec:
  targetNamespaces:
  - ${PROJECT_CPD_OPS}
EOF
```
What's next Now that you've set up the projects on your cluster, ensure that you have your API key. For details, see Obtaining your IBM entitlement API key.