Details
-
Feature Request
-
Resolution: Done
-
Minor
-
None
-
None
-
False
-
False
-
0
-
0%
Description
1. Proposed title of this feature request
Allow users with limited privileges to create OpenShift projects directly from GitOps Operator
2. What is the nature and description of the request?
If self-provisioner users want to create an OpenShift project, they have to do it via the command line. It is not possible to do it via GitOps Operator.
The reason of that is because the command oc new-project does not create a Project object directly. Instead, it creates a ProjectRequest. The latter is a temporary object which is deleted once the Project creation is approved and carried out.
If a ProjectRequest is tried to be synchronized via GitOps Operator; it will be marked as out of sync later because, as mentioned previously, that object is temporary.
If a cluster-admin provides create Project permissions to the user (self-provisioner role by default only includes create ProjectRequest); then the Project object will be able to be synchronized, but not the objects inside it. The reason is because users who create Projects directly bypassing ProjectRequest do not get any kind of permissions inside the project created. Therefore it is useless unless users also get create rolebindings.authorization.openshift.io permission, which would extend their privileges too much in my opinion.
There are multiple workarounds for this. The easiest that I would be aware would be to use the command line to create the project, copy the Project and rolebindings.authorization.openshift.io objects created to the Git repository and start synchronizing. However, it would be optimal to be able to create projects from GitOps Operator directly instead of following that process, which has to be repeated for every project.
Request: would it be possible that OpenShift automatically grants admin permissions in every project to the user who has created it (also having bypassed ProjectRequest)? That would allow users with create Project permissions not to depend on the command line to create their projects. Cluster admins would have to keep in mind the consequences of letting those users bypass ProjectRequests, but they would have the option to do it.
I am aware that there may be design or security reasons for not providing admin permissions to users in the projects created by them when ProjectRequest is bypassed. If that were the case, please kindly let us know whether there may be any alternative way to get what we are requesting. For example, not deleting ProjectRequests may also work, but it would keep many useless objects stored.
3. Why does the customer need this? (List the business requirements here)
Users cannot create projects from GitOps Operator. Instead, they have to do it via the command line and copy the object to the Git repository.
4. List any affected packages or components.
GitOps Operator plus the controller related to Projects and ProjectRequests.
