Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-71776

Docs about UserDefinedNetwork objects are inacurate wont reflect non-admin users use-case for UDNs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • CNV Documentation
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None

      Description of problem:

      Regarding docs about user-defined networks https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/virtualization/networking#virt-connecting-vm-to-primary-udn
the docs doesn't fully cover the use case of non-admin users create user-defined network with minimal intervention of cluster-admins. Docs should emphasis where the cluster-admin start and end in the flow (provisioning the namespace with the label).
Please see this RFE for more info issues.redhat.com/browse/RFE-5530

The text under 11.3 should also say non-admin users such as project admins can create UserDefinedNetwork instances on labeled namespaces they have permissions to.
For a non-admin user the requirement is to have access to a namespace labeled with the primary UDN label.

Regarding interactions for creating user-defined-network via web console  https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/virtualization/networking#virt-creating-primary-udn-web_virt-connecting-vm-to-primary-udn
Prerequisites say you need cluster-admin permissions.
Following previous step 11.3.1.1, the labeled namespace already exist.
A non-admin user who has permissions to the namespace* can create UserDefinedNetwork objects.
*Permissions can be the edit & view RBACs, or admin role for that namespace.

Regarding interactions for creating user-defined-network via CLI
https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/virtualization/networking#virt-creating-a-primary-udn_virt-connecting-vm-to-primary-udn 
Prerequisites say "You have create a namesapce ..." this implies the user created the namespace which is privileged operation.
Instead prequisite should express the namespaces with the label should exist, and a non-admin user should have permissions for it (at least for view & edit UserDefinedNetwork CRs).

In addition the docs doesn't have reference for OCP networking docs about the user-defined feature. 
Having reference for OCP docs could make them more engaging for users who like to have better understanding bout the feature in OCP.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

          1.
    2.
    3.

      Actual results:

      CLI and wbeconsole instructions for creating user-defined network say cluster-admin permissions is required for creation UserDefinedNetwork objectors.

      Expected results:

      Docs to express non-admin users can create UDNs once the namespace* is provisioned.

Docs to have refenacne for OCP networking docs about user-defined networks.

CLI and wbeconsole instructions for creating user-defined network express non-admin users can create UserDefinedNetwork objects, in namespaces* they have permissions to.
* namespaces labeled with primary UDN label

      Additional info:

      The flow for a non-admin user, such as project admin, to create user-defined network require interaction with cluster admin - requesting namespace with primary user-defined network label.
Once the namespace is provisioned the user can create UserDefiendNetwork objects on it. And later on create and connect VMs to the UDNs.

              Unassigned Unassigned
              omergi@redhat.com Or Mergi
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: