What I have:
- default install of Openshift 4.6
- 3 master/worker nodes in the cluster
- already configured OAuth
- self-provisioner role from the system-auth group already been removed
Detail Question/Objective: Assigning a self-provisioner role to a user allows the user to create a project and any resources inside the project, what I want to achieve is, a user who can create a project, but does not have any further rights/permission inside the project. Is this even possible?
Documentation of Openshift 4.6 tells, that any user creates a project, the user(requester) will become the admin of that project, this is because Openshift API will use a default template whenever it creates a project.
I'm confused about where do I do the changes to reflect my objective, is it the template or use any different RBAC role.
Thank You in Advance.
What you need is to customize the Project Template. Look here https://docs.openshift.com/container-platform/4.6/applications/projects/configuring-project-creation.html#modifying-template-for-new-projects_configuring-project-creation
First you need to backup a project project-template from openshift-config, to be honest I don't know how to do it. If anyone find a way please drop the comment under the answer. - Look at first answer bellow from @Stevencommy
To create a new Project Template
In
template.ymlconfigurethe default user for newly created project is configured in
Then create the template
Update
there
<template_name>default isproject-requestyou could also list withoc get templates -n openshift-config | grep project-requestIf everything goes well you could test it with
oc new-project <your-project>. Theuserfor project should be<YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>