Description of problem: When disabling project self-provisioning and create a ClusterRole to allow the user to create a project with a specific name, the user cannot create the project, and an "Error from server (Forbidden): You may not request a new project via this API." error occurs. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Disable project self-provisioning https://docs.openshift.com/container-platform/4.6/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation 2. Create a ClusterRole and configuring a specific Resource Name $ oc describe clusterrole test-cluster-role Name: test-cluster-role Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- projectrequests [] [reserved-name] [create] projectrequests.project.openshift.io [] [reserved-name] [create] 3. Bind the ClusterRole to the user $ oc adm policy add-cluster-role-to-user test-cluster-role user1 clusterrole.rbac.authorization.k8s.io/test-cluster-role added: "user1" 4. log in as the user and try to create a project with the configured name. $ oc login -u user1 Logged into "https://api.yhe-blue.jp.apacshift.support:6443" as "user1" using existing credentials. $ oc new-project reserved-name Error from server (Forbidden): You may not request a new project via this API. $ oc new-project reserved-name --loglevel=10 I0210 01:58:48.845218 4118 loader.go:375] Config loaded from file: /home/ec2-user/.kube/config I0210 01:58:48.846115 4118 round_trippers.go:423] curl -k -v -XGET -H "Authorization: Bearer sha256~Fu8HOUs7Fp5psTprPRf1ZF-4LAd_rUqouTStSPidiuE" -H "Accept: application/json, */*" -H "User-Agent: oc/openshift (linux/amd64) kubernetes/02c1100" 'https://api.yhe-blue.jp.apacshift.support:6443/apis/project.openshift.io/v1/projectrequests' I0210 01:58:48.883943 4118 round_trippers.go:443] GET https://api.yhe-blue.jp.apacshift.support:6443/apis/project.openshift.io/v1/projectrequests 403 Forbidden in 37 milliseconds I0210 01:58:48.884029 4118 round_trippers.go:449] Response Headers: I0210 01:58:48.884078 4118 round_trippers.go:452] Cache-Control: no-cache, private I0210 01:58:48.884136 4118 round_trippers.go:452] Cache-Control: no-store I0210 01:58:48.884168 4118 round_trippers.go:452] Content-Type: application/json I0210 01:58:48.884229 4118 round_trippers.go:452] Date: Wed, 10 Feb 2021 01:58:48 GMT I0210 01:58:48.884268 4118 round_trippers.go:452] X-Kubernetes-Pf-Flowschema-Uid: 7350d5ad-8891-47e9-931c-13c975c03f05 I0210 01:58:48.884332 4118 round_trippers.go:452] X-Kubernetes-Pf-Prioritylevel-Uid: 1af91f60-82e4-445d-afd9-74511fecc350 I0210 01:58:48.884369 4118 round_trippers.go:452] Content-Length: 228 I0210 01:58:48.884407 4118 round_trippers.go:452] Audit-Id: 3bf2d088-e72f-4267-b5b9-dc3e96f65253 I0210 01:58:48.884488 4118 request.go:1097] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"You may not request a new project via this API.","reason":"Forbidden","details":{"group":"project.openshift.io","kind":"projectrequest"},"code":403} I0210 01:58:48.885063 4118 helpers.go:216] server response object: [{ "metadata": {}, "status": "Failure", "message": "You may not request a new project via this API.", "reason": "Forbidden", "details": { "group": "project.openshift.io", "kind": "projectrequest" }, "code": 403 }] F0210 01:58:48.885144 4118 helpers.go:115] Error from server (Forbidden): You may not request a new project via this API. Actual results: The user cannot create the project with configured name and "Error from server (Forbidden): You may not request a new project via this API." error occurs Expected results: The user can create the project with configured name and no error occurs Additional info:
You need also list permissions for projectrequests.
One thing you may have overlooked, there is no name on CREATE requests, so an RBAC role trying to give permission to create a particularly name will not be honored. A second thing, permission to create a project is not the same as the permission to request a project. Granting project create will allow doing `oc create -f`, but will not allow `oc new-project` since you explicitly disabled self provisioning.
Hi Thank you for looking into this issue. According to your explanation, I understand that I cannot request a project with `oc new-project` command since there is no name on CREATE requests. However, I tried to create a project with `oc create -f` command, yet still, an error occurs. Would you mind giving me some more details about what permission is necessary to create a project with a particular name? ``` $ oc describe clusterrole test-cluster-role Name: test-cluster-role Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- projects [] [reserved-name] [create] projects.project.openshift.io [] [reserved-name] [create] $ oc adm policy add-cluster-role-to-user test-cluster-role user1 clusterrole.rbac.authorization.k8s.io/test-cluster-role added: "user1" $ oc login -u user1 Logged into "https://api.test.example.com:6443" as "user1" using existing credentials. $ cat project.yaml apiVersion: project.openshift.io/v1 kind: Project metadata: name: reserved-name $ oc create -f project.yaml Error from server (Forbidden): error when creating "project.yaml": projects.project.openshift.io is forbidden: User "user1" cannot create resource "projects" in API group "project.openshift.io" at the cluster scope $ oc login -u kubeadmin Authentication required for https://api.test.example.com:6443 (openshift) Username: kubeadmin Password: Login successful. $ oc create -f project.yaml project.project.openshift.io/reserved-name created $ oc project reserved-name Now using project "reserved-name" on server "https://api.test46yhe2.lab.upshift.rdu2.redhat.com:6443". ``` Thank you Yiyong
There is no way to grant creation powers on a particularly named object for any resource in kubernetes. It is a restriction of the authorizer interface.
This comment was flagged a spam, view the edit history to see the original text if required.