Project overview

A project is a key multi-tenancy concept in Google Distributed Cloud Hosted (GDCH). It is the tenancy unit that every service needs to integrate. It provides logical grouping of service instances.

Projects enable segmentation of resources within an organization and provide a lifecycle and policy boundary for managing resources. Resources inside a project can never outlive the project itself or move between projects, ensuring that control is guaranteed for the life of the resource.

A project is considered a proper Kubernetes namespace that spans across multiple Kubernetes clusters in an organization. Kubernetes treats each cluster as a separate entity, and each cluster has an independent project namespace. However, for all clusters in a GDCH organization, GDCH considers all namespaces of a given name the same namespace. This is referred to as namespace sameness. The single namespace has a consistent owner across the set of clusters. Service providers create project-scoped services by creating control plane and data plane components in the namespace.

The namespace for the project, called the Project Admin Namespace, hosts the following:

  • Project-scoped service APIs, or Kubernetes custom resource definitions.
  • Project-level policy configurations, such as roles and role bindings.

You can configure a project to span across only a subset of Kubernetes clusters in an organization. Users can deploy containerized workloads on these clusters within the project namespace. The namespace sameness concept applies to the project namespace on these clusters. Namespace-scoped policies, such as role-based access (RBAC) policies, apply to all those namespaces.

For more information on the resource hierarchy of GDCH and best practices for organizing your resource hierarchy, see the Resource hierarchy and access control guide.