https://github.com/ansible-collections/kubernetes.core/issues/623
<!--- Verify first that your issue is not already reported on GitHub -->
<!--- Also test if the latest release and devel branch are affected too -->
<!--- Complete all sections as described, this form is processed automatically -->

1. 1. 1. 1. 1. SUMMARY
               We have a role to create/delete Openshift projects that has been working fine for many Ansible releases. But when attempting to upgrade to Ansible 7, it suddenly fails when attempting to create a new project. The Openshift project API is very confusing, and not idempotent, but this used to work. To create an Openshift project, a user must CREATE a ProjectRequest, which will make the cluster create a new Project (Namespace). This may only happen once, and a user is not allowed to modify (PATCH) any of the project resources.

With Ansible 7, the attempt to create the project fails with the following error (example):

````
TASK [openshift_project : Create ProjectRequest] *******************************
fatal: [kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com]: FAILED! => changed=false
msg: 'Failed to patch object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projectrequests.project.openshift.io \\"kafka-rev-ansible-7-g5cfyt
" is forbidden: User \\"system:serviceaccount:kafka:gitlab
" cannot patch resource \\"projectrequests
" in API group \\"project.openshift.io
" at the cluster scope","reason":"Forbidden","details":

{"name":"kafka-rev-ansible-7-g5cfyt","group":"project.openshift.io","kind":"projectrequests"}

,"code":403}\n'''
reason: Forbidden
````

1. 1. 1. 1. 1. ISSUE TYPE

• Bug Report

1. 1. 1. 1. 1. COMPONENT NAME
               <!--- Write the short name of the module, plugin, task or feature below, use your best guess if unsure -->
               `kubernetes.core.k8s`

1. 1. 1. 1. 1. ANSIBLE VERSION
               <!--- Paste verbatim output from "ansible --version" between quotes -->
               ```paste below
               ansible [core 2.14.5]
               config file = None
               configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
               ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
               ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
               executable location = /usr/local/bin/ansible
               python version = 3.11.3 (main, May 4 2023, 05:53:32) [GCC 10.2.1 20210110] (/usr/local/bin/python)
               jinja version = 3.1.2
               libyaml = True
               ```

1. 1. 1. 1. 1. COLLECTION VERSION
               <!--- Paste verbatim output from "ansible-galaxy collection list <namespace>.<collection>" between the quotes
               for example: ansible-galaxy collection list kubernetes.core
               -->
               ```paste below
2. /usr/local/lib/python3.11/site-packages/ansible_collections
   Collection Version
   • • • • • • • • • • • • • • -------
                               kubernetes.core 2.4.0
                               ```

1. 1. 1. 1. 1. CONFIGURATION
               <!--- Paste verbatim output from "ansible-config dump --only-changed" between quotes -->
               ```paste below
               ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
               CONFIG_FILE() = None
               DEFAULT_HOST_LIST(env: ANSIBLE_INVENTORY) = ['/builds/kafka/provisioning/k8s/inventories/review.yml']
               DEFAULT_LOAD_CALLBACK_PLUGINS(env: ANSIBLE_LOAD_CALLBACK_PLUGINS) = True
               DEFAULT_ROLES_PATH(env: ANSIBLE_ROLES_PATH) = ['/builds/kafka/provisioning/k8s/roles']
               DEFAULT_STDOUT_CALLBACK(env: ANSIBLE_STDOUT_CALLBACK) = yaml
               HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
               INTERPRETER_PYTHON(env: ANSIBLE_PYTHON_INTERPRETER) = auto
               ```

1. 1. 1. 1. 1. OS / ENVIRONMENT
               <!--- Provide all relevant information below, e.g. target OS versions, network device firmware, etc. -->
               N/A

1. 1. 1. 1. 1. STEPS TO REPRODUCE
               <!--- Describe exactly how to reproduce the problem, using a minimal test-case -->

Pre-requirements: An Openshift cluster with `self-provisioner` access. The project/namespace that we attempt to create must NOT already exist.

<!--- Paste example playbooks or commands between quotes below -->
```yaml

• name: Create ProjectRequest
  kubernetes.core.k8s:
  api_version: project.openshift.io/v1
  kind: ProjectRequest
  name: "{{ kubernetes_namespace }}"
  resource_definition:
  description: "{{ kubernetes_namespace_description }}"
  displayName: "{{ kubernetes_namespace_display_name }}"
  ```

<!--- HINT: You can paste gist.github.com links for larger files -->

1. 1. 1. 1. 1. EXPECTED RESULTS
               <!--- Describe what you expected to happen when running the steps above -->
               The project request is CREATED in the Openshift API without error.

1. 1. 1. 1. 1. ACTUAL RESULTS
               <!--- Describe what actually happened. If possible run with extra verbosity (-vvvv) -->
               The attempt to create the project request fails with error (example): `msg: 'Failed to patch object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projectrequests.project.openshift.io \\"kafka-rev-ansible-7-g5cfyt
               " is forbidden: User \\"system:serviceaccount:kafka:gitlab
               " cannot patch resource \\"projectrequests
               " in API group \\"project.openshift.io
               " at the cluster scope","reason":"Forbidden","details": {"name":"kafka-rev-ansible-7-g5cfyt","group":"project.openshift.io","kind":"projectrequests"}

               ,"code":403}\n'''
               reason: Forbidden`. *Note*: the project is actually created by this failing task.

<!--- Paste verbatim command output between quotes -->
```paste below
TASK [openshift_project : Create ProjectRequest] *******************************
task path: /builds/kafka/provisioning/k8s/roles/openshift_project/tasks/main.yml:37
redirecting (type: filter) ansible.builtin.json_query to community.general.json_query
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> ESTABLISH LOCAL CONNECTION FOR USER: ansible
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c 'echo ~ansible && sleep 0'
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ansible/.ansible/tmp `"&& mkdir "` echo /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677 `" && echo ansible-tmp-1684583776.8747976-142-179954988027677="` echo /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677 `" ) && sleep 0'
Loading collection cloud.common from /usr/local/lib/python3.11/site-packages/ansible_collections/cloud/common
Using module file /usr/local/lib/python3.11/site-packages/ansible_collections/kubernetes/core/plugins/modules/k8s.py
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> PUT /home/ansible/.ansible/tmp/ansible-local-96xec_0y7q/tmp9_a4lciu TO /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/AnsiballZ_k8s.py
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c 'chmod u+x /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/ /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/AnsiballZ_k8s.py && sleep 0'
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c '/usr/bin/python3 /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/AnsiballZ_k8s.py && sleep 0'
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c 'rm -f -r /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/runner.py", line 68, in run_module
result = perform_action(svc, definition, module.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/runner.py", line 159, in perform_action
instance = svc.update(resource, definition, existing)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/service.py", line 426, in update
raise exception
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/service.py", line 413, in update
k8s_obj = self.patch_resource(
^^^^^^^^^^^^^^^^^^^^
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/service.py", line 165, in patch_resource
raise CoreException(msg) from e
fatal: [kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com]: FAILED! => changed=false
invocation:
module_args:
api_key: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
api_version: project.openshift.io/v1
append_hash: false
apply: false
ca_cert: null
client_cert: null
client_key: null
context: null
continue_on_error: false
delete_options: null
force: false
generate_name: null
host: https://api.stas-test.mycompany.com
impersonate_groups: null
impersonate_user: null
kind: ProjectRequest
kubeconfig: null
label_selectors: null
merge_type: null
name: kafka-rev-ansible-7-g5cfyt
namespace: kafka-rev-ansible-7-g5cfyt
no_proxy: null
password: null
persist_config: null
proxy: null
proxy_headers: null
resource_definition:
apiVersion: project.openshift.io/v1
description: ''
displayName: ''
kind: ProjectRequest
metadata:
name: kafka-rev-ansible-7-g5cfyt
namespace: kafka-rev-ansible-7-g5cfyt
server_side_apply: null
src: null
state: present
template: null
username: null
validate: null
validate_certs: null
wait: false
wait_condition: null
wait_sleep: 5
wait_timeout: 120
msg: 'Failed to patch object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projectrequests.project.openshift.io \\"kafka-rev-ansible-7-g5cfyt
" is forbidden: User \\"system:serviceaccount:kafka:gitlab
" cannot patch resource \\"projectrequests
" in API group \\"project.openshift.io
" at the cluster scope","reason":"Forbidden","details":

{"name":"kafka-rev-ansible-7-g5cfyt","group":"project.openshift.io","kind":"projectrequests"}

,"code":403}\n'''
reason: Forbidden
PLAY RECAP *********************************************************************
kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com : ok=1 changed=0 unreachable=0 failed=1 skipped=2 rescued=0 ignored=0
localhost : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
```