Red Hat Bugzilla – Bug 1465569
[RFE] Provide a global ‘lock down your overcloud’ feature/setting
Last modified: 2017-08-10 16:07:19 EDT
Split out from https://bugzilla.redhat.com/show_bug.cgi?id=1396227
Provide a global ‘lock down your overcloud’ feature/setting
As an integrated feature or as a externally documented procedure, provide a way to prohib major overcloud changes. Externally documented methods could do something with IPMI passwords or PXE network traffic to prevent redeployments.
Note that we already document a method to prevent deletion of the overcloud: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html/director_installation_and_usage/chap-performing_tasks_after_overcloud_creation#sect-Protecting_the_Overcloud_from_Removal
This wouldn't stop an admin from deleting a nova instance or a neutron port, although a similar technique could probably be used for those services' policy.json.
Pushing out of OSP13, the locks will need to be revisited in other services. This bug can serve as tracker for future work.