mjudeikis · July 19, 2019 21:03
diff --git a/gistfile1.txt b/gistfile1.txt
 ---
 title: Managing Resources | Microsoft Docs
 description: Managing projects, templates, image-streams.
 services: openshift
 keywords:  red hat openshift projects requests self-provisioner
 author: mjudeikis
 ms.author: b-majude
 ms.date: 07/19/2019
 ms.topic: conceptual
 ms.service: container-service
 manager: jeconnoc
 #Customer intent: As a developer, I need to understand how to manage Openshift projects and development resources
 ---

 # Overview 

 In OpenShift Container Platform, projects are used to group and isolate related objects. As an administrator, you can give developers access to certain projects, allow them to create their own, and give them administrative rights within individual projects.

 # Self-provisioning Projects

 You can allow developers to create their own projects. There is an endpoint that will provision a project according to a template. The web console and ``oc new-project` command use this endpoint when a developer creates a new project.

 When a project request is submitted, the API substitutes the following parameters into the template:

 | Parameter               | Description                                    |
 | ----------------------- | ---------------------------------------------- |
 | PROJECT_NAME            | The name of the project. Required.             |
 | PROJECT_DISPLAYNAME     | The display name of the project. May be empty. |
 | PROJECT_DESCRIPTION     | The description of the project. May be empty.  |
 | PROJECT_ADMIN_USER      | The username of the administrating user.       |
 | PROJECT_REQUESTING_USER | The username of the requesting user.           |

 Access to the API is granted to developers with the self-provisioners cluster role binding. This feature is available to all authenticated developers by default.

 ## Modifying the Template for New Projects 

 1. Log in as a user with `customer-admin` privileges.

 2. Edit default project-request template
 ```
 oc edit template project-request -n openshift
 ```

 remove default project template from ARO update process by adding annotation `openshift.io/reconcile-protect: "true"`
 ```
 ...
 metadata:
  annotations:
    openshift.io/reconcile-protect: "true"
 ...
 ```

 Project-request will not be updated by ARO update process. This enables customers to customize the template.

 ## Disabling Self-provisioning

 You can prevent an authenticated user group from self-provisioning new projects.

 1. Log in as a user with `customer-admin` privileges.

 2. Edit the self-provisioners cluster role binding.

 ```
 oc edit clusterrolebinding self-provisioners
 ```

 Remove role from reconcile ARO update process by adding annotation `openshift.io/reconcile-protect: "true"`
 ```
 ...
 metadata:
  annotations:
    openshift.io/reconcile-protect: "true"
 ...
 ```

 3. Change cluster role binding to prevent `system:authenticated:oauth` to create projects:
 ```
 apiVersion: authorization.openshift.io/v1
 groupNames:
 - osa-customer-admins
 kind: ClusterRoleBinding
 metadata:
  annotations:
    openshift.io/reconcile-protect: "true"
  labels:
    azure.openshift.io/owned-by-sync-pod: "true"
  name: self-provisioners
 roleRef:
  name: self-provisioner
 subjects:
 - kind: SystemGroup
  name: osa-customer-admins
 ```

 ## Manage default Template and ImageStreams

 In Azure Red Hat OpenShift you can disable updates for any default templates and image streams inside `openshift` namespace.
 To disable updates for ALL `Templates` and `ImageStreams` in `openshift` namespace:

 1. Log in as a user with `customer-admin` privileges

 2. Edit `openshift` namespace:
 ```
 oc edit namespace openshift
 ```

 remove `opensifift` namesapce from ARO update process by adding annotation `openshift.io/reconcile-protect: "true"`
 ```
 ...
 metadata:
  annotations:
    openshift.io/reconcile-protect: "true"
 ...
 ```

 Any individual object in `openshift` namespace can be removed from update process by adding annotation `openshift.io/reconcile-protect: "true"`
	---
	title: Managing Resources \| Microsoft Docs
	description: Managing projects, templates, image-streams.
	services: openshift
	keywords: red hat openshift projects requests self-provisioner
	author: mjudeikis
	ms.author: b-majude
	ms.date: 07/19/2019
	ms.topic: conceptual
	ms.service: container-service
	manager: jeconnoc
	#Customer intent: As a developer, I need to understand how to manage Openshift projects and development resources
	---

	# Overview

	In OpenShift Container Platform, projects are used to group and isolate related objects. As an administrator, you can give developers access to certain projects, allow them to create their own, and give them administrative rights within individual projects.

	# Self-provisioning Projects

	You can allow developers to create their own projects. There is an endpoint that will provision a project according to a template. The web console and ``oc new-project` command use this endpoint when a developer creates a new project.

	When a project request is submitted, the API substitutes the following parameters into the template:

	\| Parameter \| Description \|
	\| ----------------------- \| ---------------------------------------------- \|
	\| PROJECT_NAME \| The name of the project. Required. \|
	\| PROJECT_DISPLAYNAME \| The display name of the project. May be empty. \|
	\| PROJECT_DESCRIPTION \| The description of the project. May be empty. \|
	\| PROJECT_ADMIN_USER \| The username of the administrating user. \|
	\| PROJECT_REQUESTING_USER \| The username of the requesting user. \|

	Access to the API is granted to developers with the self-provisioners cluster role binding. This feature is available to all authenticated developers by default.

	## Modifying the Template for New Projects

	1. Log in as a user with `customer-admin` privileges.

	2. Edit default project-request template
	```
	oc edit template project-request -n openshift
	```

	remove default project template from ARO update process by adding annotation `openshift.io/reconcile-protect: "true"`
	```
	...
	metadata:
	annotations:
	openshift.io/reconcile-protect: "true"
	...
	```

	Project-request will not be updated by ARO update process. This enables customers to customize the template.

	## Disabling Self-provisioning

	You can prevent an authenticated user group from self-provisioning new projects.

	1. Log in as a user with `customer-admin` privileges.

	2. Edit the self-provisioners cluster role binding.

	```
	oc edit clusterrolebinding self-provisioners
	```

	Remove role from reconcile ARO update process by adding annotation `openshift.io/reconcile-protect: "true"`
	```
	...
	metadata:
	annotations:
	openshift.io/reconcile-protect: "true"
	...
	```

	3. Change cluster role binding to prevent `system:authenticated:oauth` to create projects:
	```
	apiVersion: authorization.openshift.io/v1
	groupNames:
	- osa-customer-admins
	kind: ClusterRoleBinding
	metadata:
	annotations:
	openshift.io/reconcile-protect: "true"
	labels:
	azure.openshift.io/owned-by-sync-pod: "true"
	name: self-provisioners
	roleRef:
	name: self-provisioner
	subjects:
	- kind: SystemGroup
	name: osa-customer-admins
	```

	## Manage default Template and ImageStreams

	In Azure Red Hat OpenShift you can disable updates for any default templates and image streams inside `openshift` namespace.
	To disable updates for ALL `Templates` and `ImageStreams` in `openshift` namespace:

	1. Log in as a user with `customer-admin` privileges

	2. Edit `openshift` namespace:
	```
	oc edit namespace openshift
	```

	remove `opensifift` namesapce from ARO update process by adding annotation `openshift.io/reconcile-protect: "true"`
	```
	...
	metadata:
	annotations:
	openshift.io/reconcile-protect: "true"
	...
	```

	Any individual object in `openshift` namespace can be removed from update process by adding annotation `openshift.io/reconcile-protect: "true"`