Ok you saying use ‘cluster-admin’ role instead of cluster ‘admin’ role to robot to satisfy all use cases. Yes we want to have robot to setup resources quotas, limits and other works along with projects creation.
From: David Eads <deads redhat com>
Date: Friday, August 5, 2016 at 4:45 AM
To: skotaru <skotaru cisco com>
Cc: Tobias Florek <openshift ibotty net>, "users lists openshift redhat com" <users lists openshift redhat com>
Subject: Re: cluster-roles
You have to have `oc policy add-cluster-role-to-user admin robot` in order for the robot to later do `oc policy add-role-to-user admin srinivas -n project01`. Otherwise, the REST request will be rejected as escalating.
Granting `oc policy add-cluster-role-to-user admin robot` (grants powers for project scoped resources in all projects) is very different from `oc policy add-cluster-role-to-user cluster-admin robot` (grants powers for all resources including nodes, users, groups, etc).
A second role is required to grant robot the power to create resourcequotas and limitranges because a normal "admin" can't mutate those resources.
On Thu, Aug 4, 2016 at 9:07 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:
Hmm this is what I understood from both David and you.