Disable project self-provisioning on OpenShift 4

This guide describes how to remove permission for users to self-provision projects on OpenShift 4 clusters.
This how-to applies configuration that’s suitable for the Espejote ManagedResource deployed by component-openshift4-authentication.

Prerequisites

  • Access to the respective cluster’s tenant repository.

Procedure

  1. Checkout the target cluster’s tenant repository

  2. Update the openshift4-authentication configuration to remove system:authenticated:oauth from selfProvisionerGroups:

    parameters:
  openshift4_authentication:
    selfProvisionerGroups:
      - ~system:authentication:oauth (1)
    1 By prefixing the group name with ~, the component removes it from the final rendered list of selfProvisionerGroups.
    You can add this configuration in the tenant repo’s openshift4.yml (or similar) if you want to disable project self-provisioning for all clusters of a tenant.

  3. Commit and push the change to apply it on the clusters

  4. Once the rollout is complete, you can verify that the change has been applied by checking who can create projectrequests.

    export KUBECONFIG=/path/to/target-cluster.kubeconfig
oc adm policy who-can create projectcrequest | grep system:authenticated:oauth (1)
    1 This command should produce no output if the change was applied correctly.