Description of problem: According to doc: "When a developer or a service account that is unable to self-provision projects makes a project creation request using the web console or CLI, the following error message is returned by default: "You may not request a new project via this API." https://access.redhat.com/documentation/en-us/openshift_container_platform/4.3/html/applications/projects#customizing-project-request-message_configuring-project-creation Using project.spec.projectRequestMessage we can set some message But it is not applied properly to all components and this is inconsistent with "oc" (the behavior is quite the opposite) HOW IT WORKS: 1. for "oc" command you login and no message -> I would expect we have info, but nothing. However, when you create new-project you get a message defined in projectRequestMessage. examples: [ admin.csb /home/obockows/WORK/02578143-project ] $ oc login https://api:6443 You don't have any projects. Contact your system administrator to request a project. [ admin.csb /home/obockows/WORK/02578143-project ] $ /tmp/oc new-project something Error from server (Forbidden): ask astutus for a new project the result: we have message defined in projectRequestMessage only when we fail to create a project 2. console: when we are logged and we are in Home/Projects for Admin or Advanced/Projects for Developer view, we have: Welcome to OpenShift ask astutus for a new project however, when we make an attempt to create a new project we have what you've seen, e.g. "An error occurred projectrequests.project.openshift.io is forbidden: User "olimpb.bockowski" cannot create resource "projectrequests" in API group "project.openshift.io" at the cluster scope" ^^ here should be the message as well Moreover, the web console shows the defined message only if you don't have a project yet. If you already have one, you don't get the message at all. Remarkable is the fact that in Openshift 3.x the project creation link is removed in favor of the defined message when project self-provisioning is disabled. The odd is inconsistency between console and CLI, if it behaves in sone way, it should be the same. I am quite convinced it should be unified and both for console and oc the same. Version-Release number of selected component (if applicable): 4.x Additional info: I was thinking should it be RE/RFE or bug, however, it looks like a bug because project.spec.projectRequestMessage wasn't put it all web components it should be. Moreover, we have still "An error occurred projectrequests.project.openshift.io is forbidden" when we try to use a button.
btw we could also consider a different approach, e.g. should a project creation button is visible in console after self-provisioning disabled -> up to UX folks
Per Serena Nichols in UXD, the "Create Project" button should not be visible if self-provisioning is disabled. Currently, "Create Project" is always visible in the project selection dropdown, which I will fix.
1. Disabling project self-provisioning # oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}' clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched # oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }' # oc describe clusterrolebinding.rbac self-provisioners Name: self-provisioners Labels: <none> Annotations: rbac.authorization.kubernetes.io/autoupdate: false Role: Kind: ClusterRole Name: self-provisioner Subjects: Kind Name Namespace ---- ---- --------- 2. Customize project request message # oc edit project.config.openshift.io/cluster project.config.openshift.io/cluster edited # oc get project.config.openshift.io/cluster -o yaml apiVersion: config.openshift.io/v1 kind: Project metadata: annotations: release.openshift.io/create-only: "true" creationTimestamp: "2020-02-24T00:50:30Z" generation: 2 name: cluster resourceVersion: "220199" selfLink: /apis/config.openshift.io/v1/projects/cluster uid: 689ef5c6-97bb-4bc3-b1dd-688ad10c3638 spec: projectRequestMessage: This is customized by yapei, please contact her 3. Login via CLI oc login https://api.qe-ui-02240831.qe.devcluster.openshift.com:6443 -u yapei1 -p redhat Login successful. You don't have any projects. Contact your system administrator to request a project. 4. Login via console, check Workloads -> Deployments , open project dropdown, 'Create Project' button is still listed == Check if fix PR is merged in 4.4.0-0.nightly-2020-02-23-191320 # export version=4.4.0-0.nightly-2020-02-23-191320 # oc adm release info registry.svc.ci.openshift.org/ocp/release:$version --pullspecs | grep console console quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5c5c3fba650560e27f29d1ea7f0a31cb6ff527070020bebf98df352f436d495f console-operator quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4c8cb2261424a458f4874fdffed95a378f88343b4c1e67e57133942c209328de # oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5c5c3fba650560e27f29d1ea7f0a31cb6ff527070020bebf98df352f436d495f | grep commit io.openshift.build.commit.id=d2821006d2b12f1f365025feeacdbfa6a159902f io.openshift.build.commit.url=https://github.com/openshift/console/commit/d2821006d2b12f1f365025feeacdbfa6a159902f [yapei@New_Mac console]$ git pull [yapei@New_Mac console]$ git log d2821006d2b12f1f365025feeacdbfa6a159902f | grep '#4358' // nothing returns Robb, the fix PR is merged 5 days ago, but we didn't see the fix in any payload until now. Can you help check what's going wrong?
The fix is in 4.5 currently. We'll need a separate bug/PR to backport to 4.4.
Created attachment 1667999 [details] No Create Project Button 1. Disabling project self-provisioning # oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}' clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched # oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }' # oc describe clusterrolebinding.rbac self-provisioners Name: self-provisioners Labels: <none> Annotations: rbac.authorization.kubernetes.io/autoupdate: false Role: Kind: ClusterRole Name: self-provisioner Subjects: Kind Name Namespace ---- ---- --------- 2. Customize project request message # oc edit project.config.openshift.io/cluster project.config.openshift.io/cluster edited # oc get project.config.openshift.io/cluster -o yaml apiVersion: config.openshift.io/v1 kind: Project metadata: annotations: release.openshift.io/create-only: "true" creationTimestamp: "2020-02-24T00:50:30Z" generation: 2 name: cluster resourceVersion: "220199" selfLink: /apis/config.openshift.io/v1/projects/cluster uid: 689ef5c6-97bb-4bc3-b1dd-688ad10c3638 spec: projectRequestMessage: This is customized by yapei, please contact her 3. Login via CLI oc login https://api.qe-ui-02240831.qe.devcluster.openshift.com:6443 -u yapei1 -p redhat Login successful. You don't have any projects. Contact your system administrator to request a project. # oc new-project yapei1-1 Error from server (Forbidden): This is customized by yapei, please contact her 4. Login via console as user 'yapei1', check Workloads -> Deployments , open project dropdown, no 'Create Project' button in dropdown list Verified on 4.5.0-0.ci-2020-03-04-223611
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581