What is the difference between objects project and namespace in Openshift 4.x

Baptiste Mille-Mathias asked:

In openshift 4.x, you have an API for project which seems to be totally similar to namespace in the sense that when you create a project there a namespace created and the other way around.
I know namespace is a standard object in kubernetes and project is specific to Openshift.
So what does project brings ?

# list projects
oc get projects                                                      
NAME                                                    DISPLAY NAME   STATUS
default                                                                Active
kube-node-lease                                                        Active
kube-public                                                            Active
kube-system                                                            Active
local-storage                                                          Active
openshift                                                              Active
openshift-apiserver                                                    Active

# list namespaces
$ oc get ns
NAME                                                    STATUS   AGE
default                                                 Active   17d
kube-node-lease                                         Active   17d
kube-public                                             Active   17d
kube-system                                             Active   17d
local-storage                                           Active   16d
openshift                                               Active   17d
openshift-apiserver                                     Active   17d
openshift-apiserver-operator                            Active   17d

The list is the same except different columns

oc get project foo
Error from server (NotFound): namespaces "foo" not found
oc get ns foo
Error from server (NotFound): namespaces "foo" not found

15:30 $ oc new-project foo                          
Now using project "foo" on server "https://api.goo.tadadidou.bo:6443".
$ oc get project foo
foo                   Active
$ oc get ns foo
foo    Active   70s

Even the yaml output is similar, except the value of the field Kind: which is either Project or Namespace.

My answer:

A project is essentially the same as a namespace, but OpenShift provides additional administrative controls for projects.

If you’re deploying software on OpenShift you’ll basically use the project exactly the same way as a Kubernetes namespace, except a normal user can be prevented from creating their own projects, requiring a cluster administrator to do that. (It appears that your cluster allows you to create your own projects, or you’re using a personal cluster such as CodeReady Containers or its predecessor Minishift.)

From the docs:

Projects are the unit of isolation and collaboration in OpenShift. A project has one or more members, a quota on the resources that the
project may consume, and the security controls on the resources in the
project. Within a project, members may have different roles – project
administrators can set membership, editors can create and manage the
resources, and viewers can see but not access running containers. In a
normal cluster project administrators are not able to alter their
quotas – that is restricted to cluster administrators.

Listing or watching projects will return only projects the user has
the reader role on.

An OpenShift project is an alternative representation of a Kubernetes
namespace. Projects are exposed as editable to end users while
namespaces are not. Direct creation of a project is typically
restricted to administrators, while end users should use the
requestproject resource.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.