Bug 1570936 - New infra projects (sdn, node, etc) should be immortal
Summary: New infra projects (sdn, node, etc) should be immortal
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Master
Version: 3.10.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 3.10.0
Assignee: David Eads
QA Contact: Wang Haoran
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-23 19:07 UTC by Mike Fiedler
Modified: 2018-05-03 19:27 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-04-30 12:11:25 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Mike Fiedler 2018-04-23 19:07:57 UTC
Description of problem:

openshift-sdn, openshift-node and possibly openshift-web-console should get the same protections that kube-system and default have so that they cannot be deleted.

Version-Release number of selected component (if applicable): 3.10.0-0.27.0

How reproducible: Always

Steps to Reproduce:
1. oc delete openshift-sdn

Actual results:

SDN namespace deleted

Expected results:

As more OpenShift infra moves into pods/namespaces, those critical to cluster health should be protected.

Comment 1 David Eads 2018-04-30 12:11:14 UTC
I don't see why components should be immortal.  I wouldn't make the openshift-apiserver namespace immortal, so why should the SDN that depends on it be immortal?

I may consider making some future operator namespace immortal to ease recovery (or maybe not), but preventing the removal of a component after it has been installed doesn't seem reasonable to me.

Comment 2 Mike Fiedler 2018-05-03 18:45:02 UTC
Seems asymmetrical that we allow deletion of openshift-* namespaces but do not allow creation:

root@ip-172-31-13-231: ~ # oc new-project openshift-logging       
Error from server (Forbidden): project.project.openshift.io "openshift-logging" is forbidden: cannot request a project starting with "openshift-"

@deads is this as you would expect?  Maybe I'm being too picky.

Comment 3 David Eads 2018-05-03 19:27:07 UTC
We don't allow requesting a namespace with that pattern because normal users can request projects.  Normal users cannot delete any openshift- namespaces.  Only exception users can delete them and those same exceptional users can create them with `oc create namespace openshfit-logging`.

The two actions look similar, but aren't.  So I think they are symmetric.

Note You need to log in before you can comment on or make changes to this bug.