0. What is the nature and description of the request? Project administrators should be able to manage network policies for their own projects. 1. Why does the customer need this? (List the business requirements here) In a shared environment, the cluster administrator would need to create/delete/list each and every network policy. 2. How would the customer like to achieve this? (List the functional requirements here) Allow every user (or selected users) that is a project administrator to be able to manage network policies.
1. Why does the customer need this? To enable a Feature team to work independently, network policies that would only affect routing *inside* of a project should be configurable on a project level. 2.How would the customer like to achieve this? (List the functional requirements here) That being said, a policy aspect like 'net.beta.kubernetes.io/network-policy={"ingress":{"isolation":"DefaultDeny"}}' must not be modifyable by a project admin.
This will be fixed in 3.6 when https://github.com/openshift/origin/pull/14830 merges. Project admins will be able to create/edit/delete NetworkPolicies and NetworkPolicy will no longer need an annotation on the project to enable it.
verified in atomic-openshift-3.6.135-1.git.0.56fd7dc.el7.x86_64, the normal user (project admin) can create/delete/list the networkpolices in their own projects. # oc create -f npolicy.yaml # oc get networkpolicy NAME POD-SELECTOR AGE allow-from-red-to-blue type=blue 1m allow-to-label type=blue 19m default-deny <none> 1h # oc delete networkpolicy allow-from-red-to-blue networkpolicy "allow-from-red-to-blue" deleted
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188