apiVersion: template.openshift.io/v1
|
kind: Template
|
metadata:
|
name: project-request
|
namespace: openshift-config
|
objects:
|
{% if _install_limit_range|bool %}
|
- apiVersion: v1
|
kind: LimitRange
|
metadata:
|
name: ${PROJECT_NAME}-core-resource-limits
|
namespace: ${PROJECT_NAME}
|
spec:
|
limits:
|
- type: Container
|
max:
|
memory: 6Gi
|
min:
|
memory: 10Mi
|
default:
|
cpu: 500m
|
memory: 1.5Gi
|
defaultRequest:
|
cpu: 50m
|
memory: 256Mi
|
- type: Pod
|
max:
|
memory: 12Gi
|
min:
|
memory: 6Mi
|
{% endif %}
|
{% if _install_network_policies|bool %}
|
- kind: NetworkPolicy
|
apiVersion: networking.k8s.io/v1
|
metadata:
|
name: allow-from-all-namespaces
|
spec:
|
podSelector: {}
|
ingress:
|
- from:
|
- namespaceSelector: {}
|
- apiVersion: networking.k8s.io/v1
|
kind: NetworkPolicy
|
metadata:
|
name: allow-from-ingress-namespace
|
spec:
|
podSelector:
|
ingress:
|
- from:
|
- namespaceSelector:
|
matchLabels:
|
netpol: ingress
|
{% endif %}
|
- apiVersion: project.openshift.io/v1
|
kind: Project
|
metadata:
|
annotations:
|
openshift.io/description: ${PROJECT_DESCRIPTION}
|
openshift.io/display-name: ${PROJECT_DISPLAYNAME}
|
openshift.io/requester: ${PROJECT_REQUESTING_USER}
|
name: ${PROJECT_NAME}
|
spec: {}
|
status: {}
|
- apiVersion: rbac.authorization.k8s.io/v1
|
kind: RoleBinding
|
metadata:
|
annotations:
|
openshift.io/description: Allows all pods in this namespace to pull images from
|
this namespace. It is auto-managed by a controller; remove subjects to disable.
|
name: system:image-pullers
|
namespace: ${PROJECT_NAME}
|
roleRef:
|
apiGroup: rbac.authorization.k8s.io
|
kind: ClusterRole
|
name: system:image-puller
|
subjects:
|
- apiGroup: rbac.authorization.k8s.io
|
kind: Group
|
name: system:serviceaccounts:${PROJECT_NAME}
|
- apiVersion: rbac.authorization.k8s.io/v1
|
kind: RoleBinding
|
metadata:
|
annotations:
|
openshift.io/description: Allows builds in this namespace to push images to
|
this namespace. It is auto-managed by a controller; remove subjects to disable.
|
name: system:image-builders
|
namespace: ${PROJECT_NAME}
|
roleRef:
|
apiGroup: rbac.authorization.k8s.io
|
kind: ClusterRole
|
name: system:image-builder
|
subjects:
|
- kind: ServiceAccount
|
name: builder
|
namespace: ${PROJECT_NAME}
|
- apiVersion: rbac.authorization.k8s.io/v1
|
kind: RoleBinding
|
metadata:
|
annotations:
|
openshift.io/description: Allows deploymentconfigs in this namespace to rollout
|
pods in this namespace. It is auto-managed by a controller; remove subjects
|
to disable.
|
name: system:deployers
|
namespace: ${PROJECT_NAME}
|
roleRef:
|
apiGroup: rbac.authorization.k8s.io
|
kind: ClusterRole
|
name: system:deployer
|
subjects:
|
- kind: ServiceAccount
|
name: deployer
|
namespace: ${PROJECT_NAME}
|
- apiVersion: rbac.authorization.k8s.io/v1
|
kind: RoleBinding
|
metadata:
|
name: admin
|
namespace: ${PROJECT_NAME}
|
roleRef:
|
apiGroup: rbac.authorization.k8s.io
|
kind: ClusterRole
|
name: admin
|
subjects:
|
- apiGroup: rbac.authorization.k8s.io
|
kind: User
|
name: ${PROJECT_ADMIN_USER}
|
parameters:
|
- name: PROJECT_NAME
|
- name: PROJECT_DISPLAYNAME
|
- name: PROJECT_DESCRIPTION
|
- name: PROJECT_ADMIN_USER
|
- name: PROJECT_REQUESTING_USER
|