Split out from https://bugzilla.redhat.com/show_bug.cgi?id=1396227 Provide a global ‘lock down your overcloud’ feature/setting As an integrated feature or as a externally documented procedure, provide a way to prohib major overcloud changes. Externally documented methods could do something with IPMI passwords or PXE network traffic to prevent redeployments.
Note that we already document a method to prevent deletion of the overcloud: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html/director_installation_and_usage/chap-performing_tasks_after_overcloud_creation#sect-Protecting_the_Overcloud_from_Removal This wouldn't stop an admin from deleting a nova instance or a neutron port, although a similar technique could probably be used for those services' policy.json.
Pushing out of OSP13, the locks will need to be revisited in other services. This bug can serve as tracker for future work.
After review between PM and engineering we have decided to close this RFE due to a lack of capacity. Please reopen this issue if you feel it still needs to be addressed and request re evaluation.