Skip to content

Manually Create Projects

Introduction

The Administrator creates Run:ai Projects using via the Run:ai user interface. When enabling Researcher Authentication you also assign users to Projects.

Run:ai Projects are implemented as Kubernetes namespaces. When creating a new Run:ai Project, Run:ai does the following automatically:

  • Creates the namespace.
  • Labels the namespace as managed by Run:ai.
  • Provides access to the namespace for Run:ai services.
  • Associates users with the namespace.

This process may need to be altered if:

  • The organization has an internal naming convention for namespaces.
  • The organization does not allow Run:ai certain privileges which allow the above automation.

The purpose of this document is to explain how to handle these scenarios.

Using Existing Namespaces

By default, creating a Project named <PROJECT-NAME> Run:ai will create a Kubernetes namespace named runai-<PROJECT-NAME>. However, organizations with an existing Kubernetes practice may already have existing Kubernetes namespaces where they wish to run machine-learning workloads or their Kubernetes namespace naming convention does not allow the runai- prefix. As such, Run:ai allows the association of a Run:ai Project with any existing Kubernetes namespace:

  • When setting up a Run:ai cluster, Disable namespace creation by setting the flag createNamespaces to false.
  • Using the Run:ai User Interface, create a new Project <PROJECT-NAME>
  • Assuming an existing namespace <NAMESPACE>, associate it with the Run:ai project by running:
kubectl label ns <NAMESPACE>  runai/queue=<PROJECT_NAME>

Limiting Run:ai Access Roles

When installing Run:ai, you are providing Run:ai with various privileges within the Kubernetes cluster. For a detailed explanation of the Kubernetes roles provided to Run:ai, see the article Understand the Kubernetes Cluster Access provided to Run:ai.

Some organizations prefer to limit the assigning of these roles to Run:ai, per an organizational policy. The two roles related to Project creation and maintenance are:

  1. The ability of Run:ai to automatically create Kubernetes namespaces.

  2. The ability of Run:ai to assign access to Run:ai Services and set the allowed users.

1. Do not allow Run:ai to create namespaces

  • When setting up Run:ai cluster, Disable namespace creation by setting the flag createNamespaces to false.
  • Using the Run:ai User Interface, create a new Project <PROJECT-NAME>
  • Create a namespace <NAMESPACE> and associate with Run:ai by running:
kubectl create ns <NAMESPACE> 
kubectl label ns <NAMESPACE>  runai/queue=<PROJECT_NAME>

2. Do not allow Run:ai to assign roles

Important

This option is less recommended due to the resulting high maintenance overhead, as described below.

  • When setting up Run:ai cluster, Disable assigning of access to Run:ai services by setting the flag createRoleBindings to false.

When these settings are applied, the administrator must perform additional manual steps as follows:

Create Roles

Obtain the Project creation template file:

wget https://raw.githubusercontent.com/run-ai/docs/master/install/cluster/k8s-project-create.yaml.template
cp k8s-project-create.yaml.template <NAMESPACE>.yaml

cp installation-files/cluster/k8s-project-create.yaml.template <NAMESPACE>.yaml

Edit <NAMESPACE>.yaml. Replace <NAMESPACE> with the name of the namespace you selected above. Then run:

kubectl apply -f <NAMESPACE>.yaml

Associate Users with the Project

Users may have 2 roles:

  • Viewer - Able to see the Jobs when running runai list jobs.
  • Executor - Able to submit Jobs, view logs, etc.

User IDs

The following process requires a <user-id>. To map the User to its ID, you need to understand what verb oAuth maps to the user directory (e.g. sAMAccountName), then find the Specific User in the directory and look under that verb

Viewer Role

To add a User to a all projects as a Viewer run: 

kubectl edit clusterrolebinding runai-job-viewer-manual

Under subjects add the new User as follows:

subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: <user-id>

Executor Role

To add a User to a Project as an Executor run: 

kubectl edit rolebinding runai-job-executor-manual -n runai-<PROJECT_NAME>

Under subjects add the new User as follows:

subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: <user-id>

Additionally, run:

kubectl edit rolebinding runai-cli-index-map-editor -n runai

Under subjects add the new User as follows:

subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: <user-id>

Project Update

You can update all Project properties via the Run:ai administration user interface, except for Project Users.

Last update: March 23, 2022