Bug 2013034

Summary: Cannot install to openshift-nmstate namespace
Product: OpenShift Container Platform Reporter: Ben Nemec <bnemec>
Component: NetworkingAssignee: Ben Nemec <bnemec>
Networking sub component: kubernetes-nmstate-operator QA Contact: Aleksandra Malykhin <amalykhi>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: aos-bugs, bverschu, cstabler, jan-frode, stirabos, vpickard, vvoronko
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2018557 (view as bug list) Environment:
Last Closed: 2022-03-10 16:18:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1954309, 1970021, 2018557    

Description Ben Nemec 2021-10-11 22:05:46 UTC 
Description of problem: Our installation docs[0] say "Under Installed Namespace, ensure the namespace is openshift-nmstate." However, if you try to install to that namespace you get: 'project.project.openshift.io "openshift-nmstate" is forbidden: cannot request a project starting with "openshift-"'. This seems to be a recent change, probably in 4.10.

0: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/networking/kubernetes-nmstate#installing-the-kubernetes-nmstate-operator_k8s-nmstate-operator


Version-Release number of selected component (if applicable): 4.10


How reproducible: Always


Steps to Reproduce:
1. Attempt to install operator through the Marketplace using openshift-nmstate as the namespace.
2.
3.

Actual results: project.project.openshift.io "openshift-nmstate" is forbidden: cannot request a project starting with "openshift-"


Expected results: Successful installation.
Comment 1 Ben Nemec 2021-10-15 20:11:37 UTC 
After some investigation, it looks like this is currently broken in 4.9 and up. I was still able to install to openshift-nmstate in 4.8.

It is possible to workaround the problem by creating the namespace as admin: "oc adm new-project openshift-nmstate"

However, it seems like this behavior was intentional. I found reference to this at least as far back as the 4.4 docs[0]: "Projects starting with openshift- and kube- are considered critical by OpenShift Container Platform. As such, OpenShift Container Platform does not allow you to create Projects starting with openshift- using the web console." Maybe this didn't previously apply if you were logged in as kubeadmin? Needs more investigation.

0: https://docs.openshift.com/container-platform/4.4/applications/projects/working-with-projects.html
Comment 3 Ben Nemec 2021-10-27 17:24:05 UTC 
Okay, I see a few options on how to fix this:
1) See if we can get the console behavior reverted back to 4.8 and earlier. Given the doc I linked earlier I'm not sure how much luck we'll have with that, but it's something we could try.
2) Change the docs to say you need to create the namespace via the cli with oc adm. This is _probably_ acceptable since only admins should be installing this operator anyway.
3) Change the namespace used for the operator to something other than openshift- (although note that kubernetes- is also disallowed, so something like kubernetes-nmstate-operator would not work either).

I'll solicit opinions from the other stakeholders in the operator to see what they prefer.
Comment 4 Simone Tiraboschi 2021-10-28 08:06:30 UTC 
I'mtrying to reproduce ASAP, but I fear that this is also going to affect Openshift Virtualization which requires to be installed in the openshift-cnv namespace.
Comment 5 Simone Tiraboschi 2021-10-28 09:46:35 UTC 
I tried reproducing it with OpenShift Virtualization on:
1. OCP 4.9.0-0.nightly-2021-10-27-202207
2. OCP 4.10.0-0.nightly-2021-10-27-230233

and in both the cases it correctly worked for me.
Comment 6 Simone Tiraboschi 2021-10-28 10:01:14 UTC 
I think you can easily bypass this adding an
 operatorframework.io/suggested-namespace: openshift-nmstate
annotation on openshift-nmstate CSV.
Comment 7 Ben Nemec 2021-10-28 14:27:35 UTC 
Hmm, we've had that for about a month now: https://github.com/openshift/kubernetes-nmstate/commit/070993900d420ace8fc870feffb52d7fb3d2890c

I suppose it's possible that my previous testing happened with an older build though. I'll try again today and make sure the build I get is new enough to have that change.
Comment 8 Ben Nemec 2021-10-29 17:17:37 UTC 
This was fixed by https://github.com/openshift/kubernetes-nmstate/pull/215. It isn't showing up in our current builds because we aren't building for 4.10 yet, and the patch wasn't backported to 4.9 yet.
Comment 9 Aleksandra Malykhin 2021-11-04 06:13:09 UTC 
As discussed with Ben, there are no 4.10 builds to deploy and the behavior will actually be tested in the 4.9 backport. 
ALso, CNV is already using this fix successfully.
Comment 12 errata-xmlrpc 2022-03-10 16:18:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056