Description of problem: OpenShift by default deploys 'kubernetes' svc in 'default' namespace so that anyone can access the service. Allowing project isolation on 'default' namespace will break this behavior. Version-Release number of selected component (if applicable): oc v3.9.0-alpha.4+2a97048-409-dirty (also valid for older releases) kubernetes v1.9.1+a0ce1bc657 How reproducible: Always Steps to Reproduce: 1. Launch openshift cluster with multitenant openshift sdn plugin 2. oc adm pod-network isolate-projects default Actual results: 'default' project is isolated (VNID != 0) Expected results: 'default' project is not allowed to be isolated (VNID = 0) Additional info:
Fixed by https://github.com/openshift/origin/pull/18687
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/0ad3c112b6cce72fb4192b48b132491e60eb45b0 Merge pull request #18687 from pravisankar/fix-isolate-projects Automatic merge from submit-queue. Bug 1547284 - Do not allow 'default' project to be isolated using 'oc adm pod-network'
verified in atomic-openshift-3.9.0-0.53.0.git.0.3b81e2d.el7.x86_64 and issue has been fixed. "default" project is not allowed to be isolated now. # oc adm pod-network isolate-projects default error: network isolation for project "default" is forbidden # oc get netnamespace NAME NETID EGRESS IPS default 0 []
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0489