Why is the project self-provisioning prevention rolled back automatically in OpenShift?
Issue
- User is able to create a
project
after removing theself-provisioner
ClusterRole
. - Even if project self-provisioning is prohibited, the settings are automatically rolled back and the users on OpenShift can create their projects by themselves.
-
When removing the
self-provisioner
ClusterRole
from cluster'sgroups
, this warning message appears:Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwritecluster role "self-provisioner" removed: ["system:authenticated" "system:authenticated:oauth"]
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 3.11
- 4
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.