I don't think I've have my robot use the `projectrequests` endpoint. Instead, I'd grant my robot the power to
1. Create projects 2. Update namespaces 3. Create resourcequotas, limitranges 4. Bind robot to "admin" Binding the robot to "admin" seems a little bit odd, but the rules for binding roles to subjects require that the the binder (robot in your case) have at least all the permissions of the roles its binding. This prevents a binder from escalating privileges by granting more power to the bindee. On Thu, Aug 4, 2016 at 2:04 PM, Srinivas Naga Kotaru (skotaru) < [email protected]> wrote: > Hi > > We want to disable default project creation by authenticated users and let > it delegate to a user. All users should to go a central provision system > and ask for project, project quota, and provided admin/edit/viewers > members. Once project was created, quota’s were setup and add appropriate > admin/edit and viewers, authenticated user can create apps themselves. > Essentially we want to control initial project, quota , project members > > We don’t’ want to give cluster-admin and admin to this generic user being > used by orchestration system and limit its capabilities by using OSE 3.x > roles features. > > This is my understanding : > > oadm policy remove-cluster-role-from-group self-provisioner > system:authenticated > > oadm policy add-cluster-role-to-user self-provisioner <robot user> > > Questions; > > What other roles needed by robot user to setup quotas on projects, add users > to admin/edit and viewers to projects ?? > > oc describe clusterPolicyBindings :default command listing existing roles > starting system-* but not sure which roles really required to perform above > jobs. > > Can you help here? > > > > -- > *Srinivas Kotaru* > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
