Prevent new project creation with openshift/kubernetes/kube prefixes

[liggitt]

Reserves the following namespaces: openshift, kube, kubernetes
Reserves the following prefixes: openshift-, kube-, kubernetes-

[liggitt]

[test]

[liggitt]

@deads2k @enj we need to actually prevent requesting new projects with these prefixes before doing the check on an upgrade helps us

[openshift-bot]

Evaluated for origin test up to d654a6d

[enj]

1. Add some tests
2. The ansible check does not reserve kubernetes[-*]
3. @sdodson I think we should revert Add pre-upgrade check for reserved namespaces openshift-ansible#3535 from the ansible 3.5 branch. That is, run the SDN check for 3.4 -> 3.5. Run all checks for 3.5 -> 3.6.

[enj]

cc @jupierce since you hit this.

[sdodson]

@sdodson I think we should revert openshift/openshift-ansible#3535 from the ansible 3.5 branch. That is, run the SDN check for 3.4 -> 3.5. Run all checks for 3.5 -> 3.6.

Why do you say that? It's going to painful either today or tomorrow neither is easier to deal with.

[enj]

Why do you say that? It's going to painful either today or tomorrow neither is easier to deal with.

@sdodson Because we enforce the SDN stuff via the API in 3.5 and thus it makes sense to check when upgrading to 3.5. This PR will go into 3.6, thus it does not make sense to check for something that is not being enforced (because users could still make more reserved namespaces in 3.5 meaning you will still have problems when upgrading to 3.6).

Any upgrade check from version A -> B should imply that in version B the API enforces the requirement from then on (and that it did not enforce it in version A).

[liggitt]

I anticipate picking this to 3.5.1. The upgrade check will run against 3.5.1 as well, right?

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/633/) (Base Commit: 42c3bfa)

[sdodson]

I anticipate picking this to 3.5.1. The upgrade check will run against 3.5.1 as well, right?

Not if we revert the check. I say we leave it in if you're going to introduce this in 3.5.1.

+1 to making the two checks separate module calls, perhaps by passing in a list of checks to run?

[enj]

Yeah based on Jordan's intent to backport it I say we leave it as-is.

Opened openshift/openshift-ansible#3883 to track updates for the check.

[enj]

[testextended][extended:cmd]

[liggitt]

wrong extended test suite (though the fact that the core suite fails for unrelated reasons is separately concerning)

[openshift-bot]

Evaluated for origin testextended up to d654a6d

[openshift-bot]

continuous-integration/openshift-jenkins/testextended SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended/152/) (Base Commit: b3cacc5) (Extended Tests: cmd)

[liggitt]

[merge]

[enj]

Flake #13739

[openshift-bot]

Evaluated for origin merge up to d654a6d

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/331/) (Base Commit: 6cd9bbc) (Image: devenv-rhel7_6141)