Bug 1461208 - [RFE] Allow project administrators to manage networkpolicies in their own projects
[RFE] Allow project administrators to manage networkpolicies in their own pro...
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: 3.7.0
Assigned To: Dan Winship
Depends On:
  Show dependency treegraph
Reported: 2017-06-13 17:47 EDT by Alexis Solanas
Modified: 2017-11-28 16:56 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: No Doc Update
Doc Text:
(covered by other doc updates)
Story Points: ---
Clone Of:
Last Closed: 2017-11-28 16:56:55 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Origin (Github) 14830 None None None 2017-06-28 15:33 EDT
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-28 21:34:54 EST

  None (edit)
Description Alexis Solanas 2017-06-13 17:47:54 EDT
0. What is the nature and description of the request?

  Project administrators should be able to manage network policies for their own projects. 

1. Why does the customer need this? (List the business requirements here)
  In a shared environment, the cluster administrator would need to create/delete/list each and every network policy. 

2. How would the customer like to achieve this? (List the functional requirements here)

  Allow every user (or selected users) that is a project administrator to be able to manage network policies.
Comment 1 Simon Gunzenreiner 2017-06-14 04:07:42 EDT
1. Why does the customer need this?
To enable a Feature team to work independently, network policies that would only affect routing *inside* of a project should be configurable on a project level.

2.How would the customer like to achieve this? (List the functional requirements here)
That being said, a policy aspect like
must not be modifyable by a project admin.
Comment 4 Ben Bennett 2017-06-22 11:22:49 EDT
This will be fixed in 3.6 when https://github.com/openshift/origin/pull/14830 merges.

Project admins will be able to create/edit/delete NetworkPolicies and NetworkPolicy will no longer need an annotation on the project to enable it.
Comment 6 hongli 2017-07-06 04:53:47 EDT
verified in atomic-openshift-3.6.135-1.git.0.56fd7dc.el7.x86_64, the normal user (project admin) can create/delete/list the networkpolices in their own projects.

# oc create -f npolicy.yaml

# oc get networkpolicy 
NAME                     POD-SELECTOR   AGE
allow-from-red-to-blue   type=blue      1m
allow-to-label           type=blue      19m
default-deny             <none>         1h

# oc delete networkpolicy allow-from-red-to-blue 
networkpolicy "allow-from-red-to-blue" deleted
Comment 10 errata-xmlrpc 2017-11-28 16:56:55 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.