I am facing a wierd issue in my project.I was asked to download a template and then perform the neccessary edits on it and then create the template under a project with developer's access.
To perform the above activity I followed the below steps with developer's access:
1>Downloaded the template using wget to local
2>Did the necessary modifications in the template
3>Created the project with command oc new-project dummy1 and made sure I am in the project by firing command oc project
4>Fired the command oc create -f template_name.yaml
At command 4 I got the error saying "Developer doesn't have access to create template in openshift project"
I am not sure why it's attempting to create the template in openshift when I am trying to create in under specified project.I didn't used the option " -n openshift" but still it's trying to create in openshift nameshift.
As a workaround I logged in with admin access and then although the template is created but it was created in openshift namespace and not under the specified project.
When I gave oc get template -n openshift | grep template_name,I am able to see the template .
So I just wanted to get the technical guidance if any additional access developer should have to create template under specified project.
Your prompt response will be highly appreciated from my end.
I had no trouble creating templates inside a project that I had only the editor role (or was it the admin role?). Anyway you should not require the cluster-admin role. Maybe your templates includes, inside its metadata, the "namespace: openshift" attribute? That would force that template to be on the 'openshift' project, no matter what's your current project. If so, removing that attribute would solve your issues.
Your error message "Developer doesn't have access to create template in openshift project" suggests that it is the case that your template contains the metadata.namespace attribute.
Thanks for your prompt response !!
Actually "namespace: openshift" is the default behaviour for all the templates created for our project.
I just crosschecked the lab enviroment for D0288 and found that developer has access for imagepuller and imagebuilder in openshift namespace and over there although the namespace is openshift still developer is able to create template under project.
So do you think in project also admin should give access like below to developer so that the later can create the template inside the specified project
oc adm policy add-role-to-user system:imagebuilder developer -n openshift
oc adm policy add-role-to-user system:imagepuller developer -n openshift
Also I would like to know that incase i need to remove the namespace: openshift attribute from the template in that case do we need to do that only for metadata section or anywhere else?
If your template includes "namespace: openshift" you are forcing it to go to the openshift project. This is a project that hosts cluster-side templates and imagestreams, and most of its contents are managed by the samples operator. Removing this and it is created on whatever is the current project for the user who creates the template.
Resources embeded into a template should not have any namespace atribute, if you find them it is probably a bug on the template itself.
A cluster administrator can add resources to the openshift project, but we don't recommend granting this privilege to developers because they would affect everyone. If I change the templates and image streams for PHP applications, for example, I am affecting all projects.
If you need local customizations for a team, it is better doing them on the project that team uses, so they don't affect anyone else. If you have customizations that you wanna share with multiple teams, you can create a project to host those shared resources and allow multiple teams to access that project.