Description of problem: Cluser-admin user only get black but not-cluster-admin user can get the info about project non-existed. at least Cluser-admin user should be same with a normal user (not cluser-admin user). Version-Release number of selected component (if applicable): oc v1.1.3-553-g19dbf2a kubernetes v1.2.0-alpha.7-703-gbc4550d How reproducible: Always Steps to Reproduce: 1. Login to a cluster-admin user 2. Try to list resource from a non-existed project `oc list dc -n nonexistedblabla` 3. Try to reproduce with a not cluster-admin user and this is not reproduced Actual results: Step2 - return blank Expected results: Should be same with a not cluster-admin user. i.e. Error from server: User "xiaocwan1" cannot list deploymentconfigs in project "nonexistedblabla" Additional info:
A cluster admin has permission to list items in any namespace, so the "permission denied" error will never be returned to them.
Yes, I don't think "permission denied" error should be returned either. Seems it should return the correct info about the non-existed project no matter what role the user is. How do you think?
This is working as designed. No namespace existence check is done when getting or listing objects of a given type if the user has permission across all namespaces (like a cluster admin does). A similar change was proposed upstream in https://github.com/kubernetes/kubernetes/pull/15543 and rejected.
Ok then, seems the case is too old, I'll update the case. Thanks