What I have:
Detail Question/Objective: Assigning a self-provisioner role to a user allows the user to create a project and any resources inside the project, what I want to achieve is, a user who can create a project, but does not have any further rights/permission inside the project. Is this even possible?
Documentation of Openshift 4.6 tells, that any user creates a project, the user(requester) will become the admin of that project, this is because Openshift API will use a default template whenever it creates a project.
I'm confused about where do I do the changes to reflect my objective, is it the template or use any different RBAC role.
Thank You in Advance.
What you need is to customize the Project Template. Look here https://docs.openshift.com/container-platform/4.6/applications/projects/configuring-project-creation.html#modifying-template-for-new-projects_configuring-project-creation
First you need to backup a project project-template from openshift-config, to be honest I don't know how to do it. If anyone find a way please drop the comment under the answer. - Look at first answer bellow from @Stevencommy
To create a new Project Template
oc adm create-bootstrap-project-template -o yaml > template.yaml
In template.yml configure
kind: Project
...
name: ${PROJECT_NAME}
the default user for newly created project is configured in
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>
Then create the template
oc create -f template.yaml -n openshift-config
Update
oc edit project.config.openshift.io/cluster
there
spec:
projectRequestTemplate:
name: <template_name>
<template_name> default is project-request you could also list with oc get templates -n openshift-config | grep project-request
If everything goes well you could test it with oc new-project <your-project>. The user for project should be <YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>