Why is the project self-provisioning prevention rolled back automatically in OpenShift?

Solution Verified - Updated -

Issue

  • User is able to create a project after removing the self-provisioner ClusterRole.
  • Even if project self-provisioning is prohibited, the settings are automatically rolled back and the users on OpenShift can create their projects by themselves.
  • When removing the self-provisioner ClusterRole from cluster's groups, this warning message appears:

    Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwritecluster role "self-provisioner" removed: ["system:authenticated" "system:authenticated:oauth"]
    

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 3.11
    • 4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content