developer is not allowed to create new projects via oc apply
#476
Comments
|
looks like we should run something like this (as user system) on startup: Then the |
|
@jstrachan AFAIK ProjectRequest is what "oc adm new-project" does. On the contrary "oc new-project" goes through an authorizer for the user, as it can limit the "self provisioning" capability. I would recommend you to raise the question of what "ninja stuff" is there, and whether a developer should be allowed to create projects via API. I guess you're using that for the fabric8 template yml file. Maybe for minishift, a fabric8 "bundle" should combine template and oc and oc adm commands, like the plugins in oc-cluster wrapper. |
|
I don't see any reason on minishift for ProjectRequest creation to be disabled for developers when using OpenShift Templates or |
|
@jstrachan I agree with you that there's many things that developers should be able to do on their laptops that are not allowed in other environments, but if this requires modify the process that minishift uses to bootstrap clusters maybe needs to fall into one of the 2 options:
But to be honest, for this specific, I would go with the second option, as then a developer would probably craft a template that he would only be able to run in minishift. I think developers should know the limitations they will have in the real openshift environments, and should be given the tools to circumvent them easily, via commands like "config" or via "bundles", so maybe like discussed in #257 maybe we need to look into bootstrapping fabric8 via a bundle and not via a single template that will only work "in any case" in minishift. |
|
@jstrachan Now you can use |
|
The problem is there's no way to login to the console as system:admin so there's no way to use Templates with different namespaces in the web console. I understand how a real openshift cluster will have limits which will make developers less productive. But I still don't think we should go out of our way to make minishift hard to use for developers; we're just increasing the likelihood developers will ditch openshift completely and go with pure kubernetes or docker swarm. |
|
@jstrachan I do agree, we are going to address this soon using |
|
Using minishift 1.0.0.rc.1 you can set cluster-admin privilege for the developer by doing: minishift addon install --defaults && minishift addon enable cluster-admin (Not the best experience but there's already some issues around this). Although I would consider having a default admin/admin user created by default as cluster:admin, as an addon. |
+1
+1 Spot on |
|
I am going to close this issue. There are several ways of doing this now. Either using impersonation via oc --as system:admin or via add-on(s). @jstrachan, I am going to close this issue. If you still feel you don't have a way to solve your use-case let us know. |
e.g. save this as foo.yml:
then try:
you get:
Error from server: error when retrieving current configuration of:
&{0xc420b2c180 0xc42038a690 foo.yml &ProjectRequest{ObjectMeta:k8s_io_kubernetes_pkg_api_v1.ObjectMeta{Name:foo,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{kubectl.kubernetes.io/last-applied-configuration: ,},OwnerReferences:[],Finalizers:[],ClusterName:,},DisplayName:,Description:,} &TypeMeta{Kind:,APIVersion:,} false}
from server for: "target/cheese.yml": User "developer" cannot get projectrequests at the cluster scope
The text was updated successfully, but these errors were encountered: