Disable project self-provisioning on OpenShift 4

This guide describes how to remove permission for users to self-provision projects on OpenShift 4 clusters. It’s based on this OpenShift documentation.

Prerequisites

  • Access to the respective cluster’s tenant repository.

Procedure

To disable self-provisioning, patch the self-provisioners CRB with the following Patch (for example via adhoc-configurations):

kind: Patch
metadata:
  name: self-provisioning
spec:
  patches:
    self-provisioning-patch:
      patchTemplate: '[{"op": "replace", "path": "/subjects", "value": null}]'
      patchType: application/json-patch+json
      targetObjectRef:
        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRoleBinding
        name: self-provisioners

Roll out this patch and verify it applies. This disables self-provisioning for general authenticated users.