Bug 1461208 - [RFE] Allow project administrators to manage networkpolicies in their own projects
Summary: [RFE] Allow project administrators to manage networkpolicies in their own pro...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.7.0
Assignee: Dan Winship
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-13 21:47 UTC by Alexis Solanas
Modified: 2017-11-28 21:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
(covered by other doc updates)
Clone Of:
Environment:
Last Closed: 2017-11-28 21:56:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Origin (Github) 14830 None None None 2017-06-28 19:33:47 UTC
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Alexis Solanas 2017-06-13 21:47:54 UTC
0. What is the nature and description of the request?

  Project administrators should be able to manage network policies for their own projects. 

1. Why does the customer need this? (List the business requirements here)
 
  In a shared environment, the cluster administrator would need to create/delete/list each and every network policy. 

2. How would the customer like to achieve this? (List the functional requirements here)

  Allow every user (or selected users) that is a project administrator to be able to manage network policies.

Comment 1 Simon Gunzenreiner 2017-06-14 08:07:42 UTC
1. Why does the customer need this?
To enable a Feature team to work independently, network policies that would only affect routing *inside* of a project should be configurable on a project level.

2.How would the customer like to achieve this? (List the functional requirements here)
That being said, a policy aspect like
'net.beta.kubernetes.io/network-policy={"ingress":{"isolation":"DefaultDeny"}}'
must not be modifyable by a project admin.

Comment 4 Ben Bennett 2017-06-22 15:22:49 UTC
This will be fixed in 3.6 when https://github.com/openshift/origin/pull/14830 merges.

Project admins will be able to create/edit/delete NetworkPolicies and NetworkPolicy will no longer need an annotation on the project to enable it.

Comment 6 Hongan Li 2017-07-06 08:53:47 UTC
verified in atomic-openshift-3.6.135-1.git.0.56fd7dc.el7.x86_64, the normal user (project admin) can create/delete/list the networkpolices in their own projects.

# oc create -f npolicy.yaml

# oc get networkpolicy 
NAME                     POD-SELECTOR   AGE
allow-from-red-to-blue   type=blue      1m
allow-to-label           type=blue      19m
default-deny             <none>         1h

# oc delete networkpolicy allow-from-red-to-blue 
networkpolicy "allow-from-red-to-blue" deleted

Comment 10 errata-xmlrpc 2017-11-28 21:56:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188


Note You need to log in before you can comment on or make changes to this bug.