Operators that run on and extend the control plane of OpenShift require an openshift-* prefixed project in order to use OpenShift's Prometheus instance. Since the project is not created by default, the user must create the openshift-* prefixed project, which is blocked by an admission controller. The work around is to create a namespace instead.
It would be a better user experience to have the openshift-* namespaces be created before hand or have some method of creating them during install so the user doesn't have to.
[root@cnv-qe-03 ~]# oc whoami
[root@cnv-qe-03 ~]# oc new-project openshift-cnv
Error from server (Forbidden): project.project.openshift.io "openshift-cnv" is forbidden: cannot request a project starting with "openshift-"
Workaround in 4.2:
[rhallisey@localhost hco-bundle-registry]$ oc create ns openshift-cnv
[rhallisey@localhost hco-bundle-registry]$ oc whoami
Why is this an installation time configuration. The admission controller should allow this through some object.
Through what object does the admission controller allow you to create an openshift-* prefixed project?
The `oc admin` may help.
mac:~ jianzhang$ oc whoami
mac:~ jianzhang$ oc adm new-project openshift-cnv
Created project openshift-cnv
All, also please mind that there is a Web UI case, which has create a Project option only, and no NS. And a CLI case, when a user or (one specific user as comment#3 suggests) can create either a Project or NS. And depends on what resolution this BZ will have, in docs a user may see a mix of CLI and Web UI steps or just one consistent Web UI couple-of-clicks flow.
There is no admission plugin gating this. The ProjectRequest endpoint for unprivileged users doesn't allows creating namespaces with that prefix because it is reserved for system level integrations that should have namespace creation powers.
What are you trying to use that requires this namespace? Who gave permission for an extension to claim an openshift-* namespace? Why can't the thing you're using create the namespace in question?
I think this bug is in the wrong spot, the openshift-apiserver correctly protects reserved namespaces for ProjectRequests. Anyone with the power can use a different endpoint. If you want a better experience for how you create a namespace, I suggest speaking to the operator installing your operator.
> If you want a better experience for how you create a namespace, I suggest speaking to the operator installing your operator
That's the target for this bug, but I don't know the component. This bug is for tracking on how to improve the process for operators that will use an openshift-* prefixed namespace. Maybe this isn't the place to track?
I think most new operators are supposed to use OLM and CVO based operators already handle this gracefully, so we'll try OLM.
I didn't see OLM in the list. Should've been targeted there first, thanks David.
Closing. Tracked for 4.3 with medium priority as part of the Operator Configurability story. https://jira.coreos.com/browse/PROD-1682