Bug 1484958

Summary: namespaces that use reserved names and were not created by infrastructure components should be blocked
Product: OpenShift Container Platform Reporter: Max Whittingham <mwhittin>
Component: MasterAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.4.1CC: aos-bugs, jliggitt, jokerman, mmccomas, vjaypurk
Target Milestone: ---Keywords: OpsBlocker
Target Release: 3.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-08 03:15:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Max Whittingham 2017-08-24 16:19:31 UTC 
Description of problem:

namespaces that use reserved names and were not created by infrastructure components should be blocked as they will cause the upgrade to fail

How reproducible:
Attempt an upgrade with a project created by a regular user such as 'openshift-shared-services' and the upgrade process will fail during the check for invalid namespaces and SDN errors.

Actual results:


Expected results:


Additional info:
Comment 1 Jordan Liggitt 2017-08-24 17:49:16 UTC 
These are checked for and blocked in 3.6.0
Comment 2 Chuan Yu 2017-08-25 06:56:09 UTC 
Verified with 3.6.173.0.13, here is the verified steps:

1.login to openshift as normal user
2.try to create new project with reserved name, openshift-, kube-, etc. all failed:
$ oc new-project openshift-shared-services
Error from server (Forbidden): project.project.openshift.io "openshift-shared-services" is forbidden: cannot request a project starting with "openshift-"
$ oc new-project kube-shared-services
Error from server (Forbidden): project.project.openshift.io "kube-shared-services" is forbidden: cannot request a project starting with "kube-"

# openshift version
openshift v3.6.173.0.13
kubernetes v1.6.1+5115d708d7
etcd 3.2.1
Comment 4 errata-xmlrpc 2017-09-08 03:15:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2642