Created attachment 1153901 [details] output of oc-process of the project-request template in default project Description of problem: on a 3.2 cluster, system:admin can't create new projects Version-Release number of selected component (if applicable): 3.2.0.40-1.git.0.d721e8f How reproducible: always, on dev-preview-int cluster Steps to Reproduce: 1. as system:admin, use "oc new-project" to create a new project 2. 3. Actual results: Error from server: metadata.name: Invalid value: "system:admin": may not contain ":" Expected results: Project created Additional info:
Created attachment 1153902 [details] expurgated (no cert data) admin.kubeconfig
This is only happen when you create a project via user with prefix "system:" with command `oc new-project <project name>` on a ProjectRequestLimit plugin enabled env. And for system:admin user we'd better create project via `oadm new-project <project name>`.
> command `oc new-project <project name>` on a ProjectRequestLimit plugin enabled env. Thanks for that. I think I see it and I'll think about it. Without an actual user or SA, perhaps we should simply allow it.
opened https://github.com/openshift/origin/pull/8766
checked with devenv-rhel7_4273, and the issue has been fixed. # oc whoami system:admin # oc new-project project1 Now using project "project1" on server "https://172.18.130.27:8443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git to build a new example application in Ruby. #oc new-project project2 #(with maxProjectsForSystemUsers: 1) Error from server: projectrequests "project2" is forbidden: user system:admin cannot create more than 1 project(s). And same result on puddle atomic-openshift-3.2.0.45-1.git.0.a2ee9db.el7.x86_64 Since serviceaccount can not send projectrequest api, so no need check with serviceaccounts.
And same result on puddle atomic-openshift-3.2.0.45-1.git.0.a2ee9db.el7.x86_64. So the issue has been fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1221