Description of problem: Our installation docs[0] say "Under Installed Namespace, ensure the namespace is openshift-nmstate." However, if you try to install to that namespace you get: 'project.project.openshift.io "openshift-nmstate" is forbidden: cannot request a project starting with "openshift-"'. This seems to be a recent change, probably in 4.10. 0: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/networking/kubernetes-nmstate#installing-the-kubernetes-nmstate-operator_k8s-nmstate-operator Version-Release number of selected component (if applicable): 4.10 How reproducible: Always Steps to Reproduce: 1. Attempt to install operator through the Marketplace using openshift-nmstate as the namespace. 2. 3. Actual results: project.project.openshift.io "openshift-nmstate" is forbidden: cannot request a project starting with "openshift-" Expected results: Successful installation.
After some investigation, it looks like this is currently broken in 4.9 and up. I was still able to install to openshift-nmstate in 4.8. It is possible to workaround the problem by creating the namespace as admin: "oc adm new-project openshift-nmstate" However, it seems like this behavior was intentional. I found reference to this at least as far back as the 4.4 docs[0]: "Projects starting with openshift- and kube- are considered critical by OpenShift Container Platform. As such, OpenShift Container Platform does not allow you to create Projects starting with openshift- using the web console." Maybe this didn't previously apply if you were logged in as kubeadmin? Needs more investigation. 0: https://docs.openshift.com/container-platform/4.4/applications/projects/working-with-projects.html
Okay, I see a few options on how to fix this: 1) See if we can get the console behavior reverted back to 4.8 and earlier. Given the doc I linked earlier I'm not sure how much luck we'll have with that, but it's something we could try. 2) Change the docs to say you need to create the namespace via the cli with oc adm. This is _probably_ acceptable since only admins should be installing this operator anyway. 3) Change the namespace used for the operator to something other than openshift- (although note that kubernetes- is also disallowed, so something like kubernetes-nmstate-operator would not work either). I'll solicit opinions from the other stakeholders in the operator to see what they prefer.
I'mtrying to reproduce ASAP, but I fear that this is also going to affect Openshift Virtualization which requires to be installed in the openshift-cnv namespace.
I tried reproducing it with OpenShift Virtualization on: 1. OCP 4.9.0-0.nightly-2021-10-27-202207 2. OCP 4.10.0-0.nightly-2021-10-27-230233 and in both the cases it correctly worked for me.
I think you can easily bypass this adding an operatorframework.io/suggested-namespace: openshift-nmstate annotation on openshift-nmstate CSV.
Hmm, we've had that for about a month now: https://github.com/openshift/kubernetes-nmstate/commit/070993900d420ace8fc870feffb52d7fb3d2890c I suppose it's possible that my previous testing happened with an older build though. I'll try again today and make sure the build I get is new enough to have that change.
This was fixed by https://github.com/openshift/kubernetes-nmstate/pull/215. It isn't showing up in our current builds because we aren't building for 4.10 yet, and the patch wasn't backported to 4.9 yet.
As discussed with Ben, there are no 4.10 builds to deploy and the behavior will actually be tested in the 4.9 backport. ALso, CNV is already using this fix successfully.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056