Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 9. Configure workspaces globally

Configure workspace limits, self-signed Git certificates, node scheduling, allowed URLs, and container run capabilities for all users.

By default, users can keep an unlimited number of workspaces in the dashboard. Limit this number to reduce demand on the cluster.

Prerequisites

Procedure

  1. Get the name of the OpenShift Dev Spaces namespace. The default is openshift-devspaces. 

    $ oc get checluster --all-namespaces \
  -o=jsonpath="{.items[*].metadata.namespace}"

  2. Configure the maxNumberOfWorkspacesPerUser in the CheCluster Custom Resource: 

    spec:
  devEnvironments:
    maxNumberOfWorkspacesPerUser: <kept_workspaces_limit>

    where:

    <kept_workspaces_limit>
    The maximum number of workspaces per user. The default value, -1, allows users to keep an unlimited number of workspaces. Use a positive integer to set the maximum number of workspaces per user.

  3. Apply the change: 

    $ oc patch checluster/devspaces -n openshift-devspaces \
--type='merge' -p \
'{"spec":{"devEnvironments":{"maxNumberOfWorkspacesPerUser": <kept_workspaces_limit>}}}'

    where:

    -n
    The OpenShift Dev Spaces namespace that you got in step 1.

Verification

  • Verify the maxNumberOfWorkspacesPerUser value in the CheCluster Custom Resource: 

    $ oc get checluster devspaces -n openshift-devspaces -o jsonpath='{.spec.devEnvironments.maxNumberOfWorkspacesPerUser}'

By default, all users can run an unlimited number of workspaces. Limit the number of concurrently running workspaces across the cluster to manage resource consumption.

Prerequisites

Procedure

  1. Configure the maxNumberOfRunningWorkspacesPerCluster in the CheCluster Custom Resource: 

    spec:
  devEnvironments:
    maxNumberOfRunningWorkspacesPerCluster: <running_workspaces_limit>

    where:

    <running_workspaces_limit>
    The maximum number of concurrently running workspaces across the entire Kubernetes cluster. This applies to all users in the system. The -1 value means there is no limit on the number of running workspaces.

  2. Apply the change: 

    $ oc patch checluster/devspaces -n openshift-devspaces \
--type='merge' -p \
'{"spec":{"devEnvironments":{"maxNumberOfRunningWorkspacesPerCluster": <running_workspaces_limit>}}}'

Verification

  • Verify the maxNumberOfRunningWorkspacesPerCluster value in the CheCluster Custom Resource: 

    $ oc get checluster devspaces -n openshift-devspaces -o jsonpath='{.spec.devEnvironments.maxNumberOfRunningWorkspacesPerCluster}'

By default, a user can run only one workspace at a time. Enable users to run multiple workspaces simultaneously so that they can work on several projects without stopping active sessions.

Note

If using the default storage method, users might experience problems when concurrently running workspaces if pods are distributed across nodes in a multi-node cluster. Switching from the per-user common storage strategy to the per-workspace storage strategy or using the ephemeral storage type can avoid or solve those problems.

Prerequisites

Procedure

  1. Get the name of the OpenShift Dev Spaces namespace. The default is openshift-devspaces. 

    $ oc get checluster --all-namespaces \
  -o=jsonpath="{.items[*].metadata.namespace}"

  2. Configure the maxNumberOfRunningWorkspacesPerUser in the CheCluster Custom Resource: 

    spec:
  devEnvironments:
    maxNumberOfRunningWorkspacesPerUser: <running_workspaces_limit>

    where:

    <running_workspaces_limit>
    The maximum number of simultaneously running workspaces per user. The -1 value enables users to run an unlimited number of workspaces. The default value is 1.

  3. Apply the change: 

    $ oc patch checluster/devspaces -n openshift-devspaces \
--type='merge' -p \
'{"spec":{"devEnvironments":{"maxNumberOfRunningWorkspacesPerUser": <running_workspaces_limit>}}}'

    where:

    -n
    The OpenShift Dev Spaces namespace that you got in step 1.

Verification

  • Verify the maxNumberOfRunningWorkspacesPerUser value in the CheCluster Custom Resource: 

    oc get checluster devspaces -n openshift-devspaces -o jsonpath='{.spec.devEnvironments.maxNumberOfRunningWorkspacesPerUser}'

9.4. Configure Git with self-signed certificates
Copy link

Configure OpenShift Dev Spaces to support operations on Git providers that use self-signed certificates so that workspaces can clone and push to repositories secured by internal certificate authorities.

Prerequisites

Procedure

  1. Create a new ConfigMap with details about the Git server: 

    $ oc create configmap che-git-self-signed-cert \
  --from-file=ca.crt=<path_to_certificate> \
  --from-literal=githost=<git_server_url> -n openshift-devspaces

    where:

    --from-file
    Path to the self-signed certificate.
    --from-literal

    Optional parameter to specify the Git server URL for example https://git.example.com:8443. When omitted, the self-signed certificate is used for all repositories over HTTPS.

    Note
    • Certificate files are typically stored as Base64 ASCII files, such as. .pem, .crt, .ca-bundle. All ConfigMaps that hold certificate files should use the Base64 ASCII certificate rather than the binary data certificate.
    • A certificate chain of trust is required. If the ca.crt is signed by a certificate authority (CA), the CA certificate must be included in the ca.crt file.

  2. Add the required labels to the ConfigMap: 

    $ oc label configmap che-git-self-signed-cert \
  app.kubernetes.io/part-of=che.eclipse.org -n openshift-devspaces

  3. Configure OpenShift Dev Spaces operand to use self-signed certificates for Git repositories. See Section 5.3, “Use the CLI to configure the CheCluster Custom Resource”. 

    spec:
  devEnvironments:
    trustedCerts:
      gitTrustedCertsConfigMapName: che-git-self-signed-cert

Verification

  • Create and start a new workspace. Every container used by the workspace mounts a special volume that contains a file with the self-signed certificate. The container’s /etc/gitconfig file contains information about the Git server host (its URL) and the path to the certificate in the http section (see Git documentation about git-config).

    For example: 

    [http "https://10.33.177.118:3000"]
sslCAInfo = /etc/config/che-git-tls-creds/certificate

9.5. Configure workspaces nodeSelector
Copy link

Configure nodeSelector and tolerations for OpenShift Dev Spaces workspace Pods to control which nodes run workspaces for compliance, hardware affinity, or zone isolation.

Prerequisites

Procedure

  1. Set nodeSelector in the CheCluster Custom Resource to schedule workspace Pods on specific nodes: 

    spec:
  devEnvironments:
    nodeSelector:
      <key>: <value>

    This section must contain a set of key=value pairs for each node label to form the nodeSelector rule.

  2. Set tolerations in the CheCluster Custom Resource to allow workspace Pods to be scheduled on tainted nodes. Tolerations work in the opposite way to nodeSelector. Instead of specifying which nodes the Pod is scheduled on, you specify which nodes the Pod cannot be scheduled on. 

    spec:
  devEnvironments:
    tolerations:
      - effect: NoSchedule
        key: <key>
        value: <value>
        operator: Equal
    Important

    nodeSelector must be configured during OpenShift Dev Spaces installation. This prevents existing workspaces from failing to run due to volumes affinity conflict caused by existing workspace PVC and Pod being scheduled in different zones.

    On large, multizone clusters, Pods and PVCs can be scheduled in different zones. To avoid this, create an additional StorageClass object (pay attention to the allowedTopologies field) to coordinate the PVC creation process.

    Pass the name of this newly created StorageClass to OpenShift Dev Spaces through the CheCluster Custom Resource. For more information, see: Section 13.2, “Configure storage classes”.

Verification

  • Verify the nodeSelector or tolerations configuration in the CheCluster Custom Resource: 

    oc get checluster devspaces -n openshift-devspaces -o jsonpath='{.spec.devEnvironments.nodeSelector}'

Configure allowed URLs to restrict Cloud Development Environment (CDE) initiation to authorized sources, protecting your infrastructure from untrusted deployments.

Prerequisites

Procedure

  1. Patch the CheCluster Custom Resource to configure the allowed source URLs: 

    oc patch checluster/devspaces \
    --namespace openshift-devspaces \
    --type='merge' \
    -p \
'{
   "spec": {
     "devEnvironments": {
       "allowedSources": {
         "urls": ["<url_1>", "<url_2>"]
       }
     }
   }
 }'

    where:

    urls
    The array of approved URLs for starting CDEs. Wildcards * are supported. For example, https://example.com/\* allows CDEs from any path within example.com.

Verification

  • In the OpenShift Dev Spaces Dashboard, start a workspace from an allowed URL and verify that it starts successfully.
  • Attempt to start a workspace from a URL that is not in the allowed list and verify that it is rejected.

9.7. Enable container run capabilities
Copy link

Enable container run capabilities in OpenShift Dev Spaces workspaces to allow running nested containers using tools like Podman. This feature uses Linux kernel user namespaces for isolation, so that users can build and run container images within their workspaces.

Important

Previously created workspaces cannot be started after enabling this feature. Users must create new workspaces.

Important
  • This feature is available on OpenShift 4.20 and later versions.

Prerequisites

  • You have an active oc session with administrative permissions to the destination OpenShift cluster. See Getting started with the CLI.
  • You have an instance of OpenShift Dev Spaces running in OpenShift.

Procedure

  1. Configure the CheCluster custom resource to enable container run capabilities: 

    oc patch checluster/devspaces -n openshift-devspaces \
  --type='merge' -p \
  '{"spec":{"devEnvironments":{"disableContainerRunCapabilities":false}}}'

Verification

  • Create a new workspace and verify that Podman is available: 

    podman run --rm hello-world
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top