Setting up projects (namespaces) on Red Hat OpenShift Container Platform

Before you install IBM Cloud Pak® for Data on Red Hat® OpenShift® Container Platform, an administrator must create and configure the OpenShift projects (Kubernetes namespaces) where you plan to deploy the Cloud Pak for Data software.

Installation phase
You are not here. Setting up a client workstation
You are not here. Collecting required information
You are here icon. Preparing your cluster
You are not here. Installing the Cloud Pak for Data platform and services
Who needs to complete this task?
A cluster administrator, or a user with permissions to create projects, must complete this task.
When do you need to complete this task?
You must complete this task before you install Cloud Pak for Data for the first time.

You might need to complete this task if you decide to install additional instances of Cloud Pak for Data on your cluster or decide to deploy a service in a tethered namespace.

Before you begin

Review the guidance in Supported project (namespace) configurations to understand the relationship between the projects (namespaces) and the security considerations that you need to take into account.

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

Procedure

To create the necessary projects for your environment:

  1. Log in to your Red Hat OpenShift Container Platform as a cluster administrator:
    oc login ${OCP_URL}
  2. Create the appropriate projects for your environment.

    Express installations
    Project to create Command
    ibm-common-services

    You can skip this step if IBM Cloud Pak foundational services is already installed on the cluster.

    ibm-common-services is the default and recommended name. If you sourced the installation environment variables, the value from the PROJECT_CPFS_OPS variable is used.

    If you choose to use a different project for the IBM Cloud Pak foundational services operators, you must create configmap. For details, see Installing IBM Cloud Pak foundational services in a custom namespace.

    oc new-project ${PROJECT_CPFS_OPS}
    cpd-instance

    Source the installation environment variables to ensure that the correct value for the PROJECT_CPD_INSTANCE variable is used.

    oc new-project ${PROJECT_CPD_INSTANCE}
    Remember: If you plan to install multiple instances of Cloud Pak for Data on the cluster, you must create a project for each instance.
    cpd-instance-tether

    You can skip this step if you don't plan to deploy any service instances or workloads in a tethered project.

    Source the installation environment variables to ensure that the correct value for the PROJECT_TETHERED variable is used.

    oc new-project ${PROJECT_TETHERED}
    Important:

    Many services support only one service instance in a given project. So if you want to create multiple instances of a service, you must deploy each instance of the service in a different project. You can achieve this by creating multiple tethered projects and creating one instance of the service in each tethered project.

    You can co-locate service instances and workloads for different services in the same tethered project, or you can create different tethered projects if one service or workload requires more privileges. You can use different tethered projects to give each service instance or workload the privileges it needs to align with the Principle of Least Privileges.


    Specialized installations
    Project to create Command
    ibm-common-services

    You can skip this step if IBM Cloud Pak foundational services is already installed on the cluster.

    ibm-common-services is the default and recommended name. If you sourced the installation environment variables, the value from the PROJECT_CPFS_OPS variable is used.

    If you choose to use a different project for the IBM Cloud Pak foundational services operators, you must create configmap. For details, see Installing IBM Cloud Pak foundational services in a custom namespace.

    oc new-project ${PROJECT_CPFS_OPS}
    cpd-operators

    cpd-operators is the recommended name. If you sourced the installation environment variables, the value from the PROJECT_CPD_OPS variable is used.

    oc new-project ${PROJECT_CPD_OPS}
    cpd-instance

    Source the installation environment variables to ensure that the correct value for the PROJECT_CPD_INSTANCE variable is used.

    oc new-project ${PROJECT_CPD_INSTANCE}
    Remember: If you plan to install multiple instances of Cloud Pak for Data on the cluster, you must create a project for each instance.
    cpd-instance-tether

    You can skip this step if you don't plan to deploy any service instances or workloads in a tethered project.

    Source the installation environment variables to ensure that the correct value for the PROJECT_TETHERED variable is used.

    oc new-project ${PROJECT_TETHERED}
    Important:

    Many services support only one service instance in a given project. So if you want to create multiple instances of a service, you must deploy each instance of the service in a different project. You can achieve this by creating multiple tethered projects and creating one instance of the service in each tethered project.

    You can co-locate service instances and workloads for different services in the same tethered project, or you can create different tethered projects if one service or workload requires more privileges. You can use different tethered projects to give each service instance or workload the privileges it needs to align with the Principle of Least Privileges.


  3. If you created a tethered project, you must tether ${PROJECT_TETHERED} to the project where the Cloud Pak for Data control plane is installed (${PROJECT_CPD_INSTANCE}):
    1. Run the cpd-cli manage login-to-ocp command to log in to the cluster as a user with sufficient permissions to complete this task. For example:
      cpd-cli manage login-to-ocp \
      --username=${OCP_USERNAME} \
      --password=${OCP_PASSWORD} \
      --server=${OCP_URL}
      Tip: The login-to-ocp command takes the same input as the oc login command. Run oc login --help for details.
    2. Tether the ${PROJECT_TETHERED} to the project where the Cloud Pak for Data control plane is installed:
      cpd-cli manage setup-tethered-ns \
      --cpd_instance_ns=${PROJECT_CPD_INSTANCE} \
      --tethered_instance_ns=${PROJECT_TETHERED}

      If you created multiple tethered projects, export the ${PROJECT_TETHERED} environment variable with the correct project name and repeat this step to tether each project to the ${PROJECT_CPD_INSTANCE} project.

      After you tether a project to the project where the Cloud Pak for Data control plane is installed, you can deploy service instances to the tethered project or run workloads in the tethered project. For information about which services support this, see Multitenancy support.

What to do next

Now that you've set up the required projects, you are ready to complete Creating custom security context constraints for services.