Bug 1461208

Summary: [RFE] Allow project administrators to manage networkpolicies in their own projects
Product: OpenShift Container Platform Reporter: Alexis Solanas <asolanas>
Component: NetworkingAssignee: Dan Winship <danw>
Status: CLOSED ERRATA QA Contact: Hongan Li <hongli>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.5.0CC: aos-bugs, bbennett, simon.gunzenreiner, xtian
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
(covered by other doc updates)
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 21:56:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alexis Solanas 2017-06-13 21:47:54 UTC
0. What is the nature and description of the request?

  Project administrators should be able to manage network policies for their own projects. 

1. Why does the customer need this? (List the business requirements here)
 
  In a shared environment, the cluster administrator would need to create/delete/list each and every network policy. 

2. How would the customer like to achieve this? (List the functional requirements here)

  Allow every user (or selected users) that is a project administrator to be able to manage network policies.

Comment 1 Simon Gunzenreiner 2017-06-14 08:07:42 UTC
1. Why does the customer need this?
To enable a Feature team to work independently, network policies that would only affect routing *inside* of a project should be configurable on a project level.

2.How would the customer like to achieve this? (List the functional requirements here)
That being said, a policy aspect like
'net.beta.kubernetes.io/network-policy={"ingress":{"isolation":"DefaultDeny"}}'
must not be modifyable by a project admin.

Comment 4 Ben Bennett 2017-06-22 15:22:49 UTC
This will be fixed in 3.6 when https://github.com/openshift/origin/pull/14830 merges.

Project admins will be able to create/edit/delete NetworkPolicies and NetworkPolicy will no longer need an annotation on the project to enable it.

Comment 6 Hongan Li 2017-07-06 08:53:47 UTC
verified in atomic-openshift-3.6.135-1.git.0.56fd7dc.el7.x86_64, the normal user (project admin) can create/delete/list the networkpolices in their own projects.

# oc create -f npolicy.yaml

# oc get networkpolicy 
NAME                     POD-SELECTOR   AGE
allow-from-red-to-blue   type=blue      1m
allow-to-label           type=blue      19m
default-deny             <none>         1h

# oc delete networkpolicy allow-from-red-to-blue 
networkpolicy "allow-from-red-to-blue" deleted

Comment 10 errata-xmlrpc 2017-11-28 21:56:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188