Bug 1333049
| Summary: | system:admin can't create projects with oc | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Sten Turpin <sten> | ||||||
| Component: | apiserver-auth | Assignee: | David Eads <deads> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | weiwei jiang <wjiang> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | unspecified | CC: | adellape, agrimm, aos-bugs, deads, wsun | ||||||
| Target Milestone: | --- | Keywords: | NeedsTestCase | ||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | atomic-openshift-3.2.0.45-1.git.0.a2ee9db.el7 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
For users with a "system:" prefix on an environment with the ProjectRequestLimit plug-in enabled, the `oc new-project <project_name>` command failed with an "Invalid value" error. This bug fix updates OpenShift Enterprise to allow project request limits on system users and service accounts, and as a result users with a "system:" prefix can now create new projects as expected.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2016-06-09 21:10:51 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1303130 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1153902 [details]
expurgated (no cert data) admin.kubeconfig
This is only happen when you create a project via user with prefix "system:" with command `oc new-project <project name>` on a ProjectRequestLimit plugin enabled env. And for system:admin user we'd better create project via `oadm new-project <project name>`. > command `oc new-project <project name>` on a ProjectRequestLimit plugin enabled env.
Thanks for that. I think I see it and I'll think about it. Without an actual user or SA, perhaps we should simply allow it.
checked with devenv-rhel7_4273, and the issue has been fixed. # oc whoami system:admin # oc new-project project1 Now using project "project1" on server "https://172.18.130.27:8443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git to build a new example application in Ruby. #oc new-project project2 #(with maxProjectsForSystemUsers: 1) Error from server: projectrequests "project2" is forbidden: user system:admin cannot create more than 1 project(s). And same result on puddle atomic-openshift-3.2.0.45-1.git.0.a2ee9db.el7.x86_64 Since serviceaccount can not send projectrequest api, so no need check with serviceaccounts. And same result on puddle atomic-openshift-3.2.0.45-1.git.0.a2ee9db.el7.x86_64. So the issue has been fixed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1221 |
Created attachment 1153901 [details] output of oc-process of the project-request template in default project Description of problem: on a 3.2 cluster, system:admin can't create new projects Version-Release number of selected component (if applicable): 3.2.0.40-1.git.0.d721e8f How reproducible: always, on dev-preview-int cluster Steps to Reproduce: 1. as system:admin, use "oc new-project" to create a new project 2. 3. Actual results: Error from server: metadata.name: Invalid value: "system:admin": may not contain ":" Expected results: Project created Additional info: