Bug 1664608 - Should forbid the creation of a subscription under a namespace without an operatorgroup object
Summary: Should forbid the creation of a subscription under a namespace without an ope...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.1.0
Assignee: Evan Cordell
QA Contact: Qin Ping
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-09 09:51 UTC by Qin Ping
Modified: 2019-06-04 10:41 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:41:38 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:41:43 UTC

Description Qin Ping 2019-01-09 09:51:47 UTC 
Description of problem:
Should forbid the creation of a subscription under a namespace without an operatorgroup object

Version-Release number of selected component (if applicable):
$ oc exec olm-operator-5f7dcdcd8f-ttn7t -- olm -version
OLM version: 0.8.0
git commit: 75e95a0


How reproducible:
Always

Steps to Reproduce:
1. Create a new ns
$ oc create  ns federation-system
2. Create subscription.
$ cat subscription.yaml
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  generateName: federationv2-
  namespace: federation-system
spec:
  source: rh-operators
  sourceNamespace: openshift-operator-lifecycle-manager
  name: federationv2
  startingCSV: federationv2.v0.0.2
  channel: alpha
$ oc create -f subscription.yaml

Actual results:
Subscription is created successfully, but no workload Pod is created.

Expected results:
Subscription can not be created.

Additional info:
Comment 1 Evan Cordell 2019-01-31 14:16:52 UTC 
Because OLM is not an apiserver (it uses CRDs), we can't actually prevent the creation of the object itself. The important part is that the Subscription is not noticed and no operators are installed.
Comment 2 Evan Cordell 2019-01-31 14:17:51 UTC 
We could fix this through an additional component (validating admission webhook) - but that would be a large thing to add at this point. Could we track this as a feature request for a future version?
Comment 3 Qin Ping 2019-02-01 02:03:14 UTC 
Will we make the Subscription is noticed in openshift 4.0?
Comment 4 Jian Zhang 2019-02-01 03:35:04 UTC 
Evan,

> We could fix this through an additional component (validating admission webhook) - but that would be a large thing to add at this point. 

We should address this issue. So could you help transfer it to the appropriate component?

>  Could we track this as a feature request for a future version?
Sure, we can change this bug as a feature request, and we should highlight this issue in our release document. 
@Qin What do you suggest?
Comment 5 Nick Hale 2019-02-19 14:06:46 UTC 
This has been sitting here for a while. It's not a bug, it's intended behavior. We can add Subscription ignoring logic, but as Evan stated, this would be a new feature. Can we get this report removed?
Comment 11 errata-xmlrpc 2019-06-04 10:41:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758
Note You need to log in before you can comment on or make changes to this bug.