Bug 1461208 - [RFE] Allow project administrators to manage networkpolicies in their own projects
[RFE] Allow project administrators to manage networkpolicies in their own pro...
Status: VERIFIED
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking (Show other bugs)
3.5.0
Unspecified Unspecified
medium Severity medium
: ---
: 3.7.0
Assigned To: Dan Winship
hongli
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-13 17:47 EDT by Alexis Solanas
Modified: 2017-10-05 13:47 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: No Doc Update
Doc Text:
(covered by other doc updates)
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Origin (Github) 14830 None None None 2017-06-28 15:33 EDT

  None (edit)
Description Alexis Solanas 2017-06-13 17:47:54 EDT
0. What is the nature and description of the request?

  Project administrators should be able to manage network policies for their own projects. 

1. Why does the customer need this? (List the business requirements here)
 
  In a shared environment, the cluster administrator would need to create/delete/list each and every network policy. 

2. How would the customer like to achieve this? (List the functional requirements here)

  Allow every user (or selected users) that is a project administrator to be able to manage network policies.
Comment 1 Simon Gunzenreiner 2017-06-14 04:07:42 EDT
1. Why does the customer need this?
To enable a Feature team to work independently, network policies that would only affect routing *inside* of a project should be configurable on a project level.

2.How would the customer like to achieve this? (List the functional requirements here)
That being said, a policy aspect like
'net.beta.kubernetes.io/network-policy={"ingress":{"isolation":"DefaultDeny"}}'
must not be modifyable by a project admin.
Comment 4 Ben Bennett 2017-06-22 11:22:49 EDT
This will be fixed in 3.6 when https://github.com/openshift/origin/pull/14830 merges.

Project admins will be able to create/edit/delete NetworkPolicies and NetworkPolicy will no longer need an annotation on the project to enable it.
Comment 6 hongli 2017-07-06 04:53:47 EDT
verified in atomic-openshift-3.6.135-1.git.0.56fd7dc.el7.x86_64, the normal user (project admin) can create/delete/list the networkpolices in their own projects.

# oc create -f npolicy.yaml

# oc get networkpolicy 
NAME                     POD-SELECTOR   AGE
allow-from-red-to-blue   type=blue      1m
allow-to-label           type=blue      19m
default-deny             <none>         1h

# oc delete networkpolicy allow-from-red-to-blue 
networkpolicy "allow-from-red-to-blue" deleted

Note You need to log in before you can comment on or make changes to this bug.