Scaling: Adding more projects

Contributors Download PDF of this page

In a multitenant configuration, adding new projects with storage resources requires additional configuration to make sure that multitenancy is not violated. For adding more projects in a multitenant cluster, complete the following steps:

  1. Log into the NetApp ONTAP cluster as a storage admin.

  2. Navigate to Storage → Storage VMs and click Add. Create a new SVM dedicated to project-3. Also create a vsadmin account to manage the SVM and its resources.

Create SVM for scaling
  1. Log into the Red Hat OpenShift cluster as cluster admin.

  2. Create a new project.

    oc create ns project-3
  3. Make sure that the user group for project-3 is created on IdP and synchronized with the OpenShift cluster.

    oc get groups
  4. Create the developer role for project-3.

    cat << EOF | oc create -f -
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      namespace: project-3
      name: developer-project-3
    rules:
      - verbs:
          - '*'
        apiGroups:
          - apps
          - batch
          - autoscaling
          - extensions
          - networking.k8s.io
          - policy
          - apps.openshift.io
          - build.openshift.io
          - image.openshift.io
          - ingress.operator.openshift.io
          - route.openshift.io
          - snapshot.storage.k8s.io
          - template.openshift.io
        resources:
          - '*'
      - verbs:
          - '*'
        apiGroups:
          - ''
        resources:
          - bindings
          - configmaps
          - endpoints
          - events
          - persistentvolumeclaims
          - pods
          - pods/log
          - pods/attach
          - podtemplates
          - replicationcontrollers
          - services
          - limitranges
          - namespaces
          - componentstatuses
          - nodes
      - verbs:
          - '*'
        apiGroups:
          - trident.netapp.io
        resources:
          - tridentsnapshots
    EOF
Note The role definition provided in this section is just an example. The developer role must be defined based on the end-user requirements.
  1. Create RoleBinding for developers in project-3 binding the developer-project-3 role to the corresponding group (ocp-project-3) in project-3.

    cat << EOF | oc create -f -
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: project-3-developer
      namespace: project-3
    subjects:
      - kind: Group
        apiGroup: rbac.authorization.k8s.io
        name: ocp-project-3
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: developer-project-3
    EOF
  2. Login to the Red Hat OpenShift cluster as storage admin

  3. Create a Trident backend and map it to the SVM dedicated to project-3. NetApp recommends using the SVM’s vsadmin account to connect the backend to the SVM instead of using the ONTAP cluster administrator.

    cat << EOF | tridentctl -n trident create backend -f
    {
        "version": 1,
        "storageDriverName": "ontap-nas",
        "backendName": "nfs_project_3",
        "managementLIF": "172.21.224.210",
        "dataLIF": "10.61.181.228",
        "svm": "project-3-svm",
        "username": "vsadmin",
        "password": "NetApp!23"
    }
    EOF
Note We are using the ontap-nas driver for this example. Use the appropriate driver for creating the backend based on the use-case.
Note We assume that Trident is installed in the trident project.
  1. Create the storage class for project-3 and configure it to use the storage pools from backend dedicated to project-3.

    cat << EOF | oc create -f -
    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
      name: project-3-sc
    provisioner: csi.trident.netapp.io
    parameters:
      backendType: ontap-nas
      storagePools: "nfs_project_3:.*"
    EOF
  2. Create a ResourceQuota to restrict resources in project-3 requesting storage from storageclasses dedicated to other projects.

    cat << EOF | oc create -f -
    kind: ResourceQuota
    apiVersion: v1
    metadata:
      name: project-3-sc-rq
      namespace: project-3
    spec:
      hard:
        project-1-sc.storageclass.storage.k8s.io/persistentvolumeclaims: 0
        project-2-sc.storageclass.storage.k8s.io/persistentvolumeclaims: 0
    EOF
  3. Patch the ResourceQuotas in other projects to restrict resources in those projects from accessing storage from the storageclass dedicated to project-3.

    oc patch resourcequotas project-1-sc-rq -n project-1 --patch '{"spec":{"hard":{ "project-3-sc.storageclass.storage.k8s.io/persistentvolumeclaims": 0}}}'
    oc patch resourcequotas project-2-sc-rq -n project-2 --patch '{"spec":{"hard":{ "project-3-sc.storageclass.storage.k8s.io/persistentvolumeclaims": 0}}}'