-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[k8s] Special case project creation so that it is possible #42132
Conversation
The test
|
rebuild_merge |
@fabianvf does this need to be backported to 2.6? |
@maxamillion yeah, you can't make projects in 2.6 right now without cluster-level admin permissions |
@maxamillion can you rekick the build? |
rebuild_merge |
f7f0cc5
to
0ee0b5a
Compare
Does the |
Projects in OpenShift are different than most resources, since almost no user has permission to create them. There's a fake resource called ProjectRequest that will allow a user to request a project and depending on cluster configuration a project will be provisioned for that user. A ProjectRequest isn't actually created though, so the user won't have permission to get it. The proper way to idempotently handle project creation for unpermissioned users is to check if the project exists and make a ProjectRequest if it doesn't. |
Surely the permission error would then happen on project create, not on project get? Your description of what the process should be sounds reasonable to me, I'm just not convinced that this change is implementing that process - I'd expect the |
Good point, the forbidden error on get will happen if you create a ProjectRequest but maybe not if you create a Project, I'll check it out and amend the PR tomorrow if necessary. |
@willthames it looks like the current behavior is correct, when I try to |
rebuild_merge |
(cherry picked from commit 9eccc96)
(cherry picked from commit 9eccc96)
SUMMARY
Automatically translates Projects to ProjectRequests if the user isn't permissioned enough to make Projects. This basically makes project creation for low-permissioned users the same as running
oc new-project
. This again makes it possible to create projects from Ansible with < admin permissions on the cluster.Fixes #42116
ISSUE TYPE
COMPONENT NAME
k8s
ADDITIONAL INFORMATION
This should be backported to 2.6