As an OpenShift developer/user (non-admin), I want to be able to further manage my namespace beyond just creating/deleting them. Currently, I am only able to create them/delete them via a Project.

Example:

The OpenShift GitOps Operator acts on a specific label on a namespace. Here is a snippet

The functionality works, but only when an OpenShift Admin labels the namespace. In a multitenant or OpenShift Dedicated/hosted system; a user trying to label their namespace won't work. A regular user cannot label their namespace.

$ oc whoami
developer

$ oc get projects
NAME             DISPLAY NAME   STATUS
welcome-gitops                  Active
welcome-php                     Active

$ oc label project welcome-php argocd.argoproj.io/managed-by=welcome-gitops
The Project "welcome-php" is invalid: metadata.labels[argocd.argoproj.io/managed-by]: Invalid value: "welcome-gitops": field is immutable, , try updating the namespace

$ oc label ns welcome-php argocd.argoproj.io/managed-by=welcome-gitops
Error from server (Forbidden): namespaces "welcome-php" is forbidden: User "developer" cannot patch resource "namespaces" in API group "" in the namespace "welcome-php"

Users should be able to label their namespaces. Either directly or by using a project as the interface into the namespace. Functionally, it doesn't make sense that users can delete their namespace, but then not label them.

There are a few ways to handle this.

1. Give the user the ability to label their namespace as any other resource (maybe allow to add labels but not update existing ones).

$ oc label ns mynamespace -l foo=bar

2. Let users use the Project as an "interface" into the Namespace object.

$ oc label project myproject -l foo=bar

3. Allow users to specify labels to add when creating a new project.

$ oc new-project myproject -l foo=bar

I am a fan of "least privilege", so I would think #3 would be the way to go.