Manually Create Projects
Introduction¶
The Administrator creates Run:ai Projects using via the Run:ai user interface. When enabling Researcher Authentication you also assign users to Projects.
Run:ai Projects are implemented as Kubernetes namespaces. When creating a new Run:ai Project, Run:ai does the following automatically:
- Creates the namespace.
- Labels the namespace as managed by Run:ai.
- Provides access to the namespace for Run:ai services.
- Associates users with the namespace.
This process may need to be altered if:
- The organization has an internal naming convention for namespaces.
- The organization does not allow Run:ai certain privileges which allow the above automation.
The purpose of this document is to explain how to handle these scenarios.
Using Existing Namespaces¶
By default, creating a Project named <PROJECT-NAME>
Run:ai will create a Kubernetes namespace named runai-<PROJECT-NAME>
. However, organizations with an existing Kubernetes practice may already have existing Kubernetes namespaces where they wish to run machine-learning workloads or their Kubernetes namespace naming convention does not allow the runai-
prefix. As such, Run:ai allows the association of a Run:ai Project with any existing Kubernetes namespace:
- When setting up a Run:ai cluster, Disable namespace creation by setting the flag
createNamespaces
tofalse
. - Using the Run:ai User Interface, create a new Project
<PROJECT-NAME>
- Assuming an existing namespace
<NAMESPACE>
, associate it with the Run:ai project by running:
Limiting Run:ai Access Roles¶
When installing Run:ai, you are providing Run:ai with various privileges within the Kubernetes cluster. For a detailed explanation of the Kubernetes roles provided to Run:ai, see the article Understand the Kubernetes Cluster Access provided to Run:ai.
Some organizations prefer to limit the assigning of these roles to Run:ai, per an organizational policy. The two roles related to Project creation and maintenance are:
-
The ability of Run:ai to automatically create Kubernetes namespaces.
-
The ability of Run:ai to assign access to Run:ai Services and set the allowed users.
1. Do not allow Run:ai to create namespaces¶
- When setting up Run:ai cluster, Disable namespace creation by setting the flag
createNamespaces
to false. - Using the Run:ai User Interface, create a new Project
<PROJECT-NAME>
- Create a namespace
<NAMESPACE>
and associate with Run:ai by running:
2. Do not allow Run:ai to assign roles¶
Important
This option is less recommended due to the resulting high maintenance overhead, as described below.
- When setting up Run:ai cluster, Disable assigning of access to Run:ai services by setting the flag
createRoleBindings
tofalse
.
When these settings are applied, the administrator must perform additional manual steps as follows:
Create Roles¶
Obtain the Project creation template file:
Edit <NAMESPACE>.yaml
. Replace <NAMESPACE>
with the name of the namespace you selected above. Then run:
Associate Users with the Project¶
Users may have 2 roles:
- Viewer - Able to see the Jobs when running
runai list jobs
. - Executor - Able to submit Jobs, view logs, etc.
User IDs¶
The following process requires a <user-id>
. To map the User to its ID, you need to understand what verb oAuth maps to the user directory (e.g. sAMAccountName
), then find the Specific User in the directory and look under that verb
Viewer Role¶
To add a User to a all projects as a Viewer run:
Under subjects
add the new User as follows:
Executor Role¶
To add a User to a Project as an Executor run:
Under subjects
add the new User as follows:
Additionally, run:
Under subjects
add the new User as follows:
Project Update¶
You can update all Project properties via the Run:ai administration user interface, except for Project Users.