@@ -618,7 +618,7 @@ func (c *MasterConfig) ensureOpenShiftSharedResourcesNamespace() {

 		namespace = &kapi.Namespace{

 			ObjectMeta: kapi.ObjectMeta{Name: c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace},

 			Spec: kapi.NamespaceSpec{

-				Finalizers: []kapi.FinalizerName{projectapi.FinalizerProject},

+				Finalizers: []kapi.FinalizerName{projectapi.FinalizerOrigin},

 			},

 		}

 		kapi.FillObjectMetaSystemFields(api.NewContext(), &namespace.ObjectMeta)

@@ -19,6 +19,8 @@ package admission

 import (

 	"fmt"

 	"io"

+	"math/rand"

+	"time"

 	"github.com/golang/glog"

@@ -30,17 +32,19 @@ import (

 	"github.com/openshift/origin/pkg/api/latest"

 	"github.com/openshift/origin/pkg/project/cache"

+	projectutil "github.com/openshift/origin/pkg/project/util"

 )

 // TODO: modify the upstream plug-in so this can be collapsed

 // need ability to specify a RESTMapper on upstream version

 func init() {

 	admission.RegisterPlugin("OriginNamespaceLifecycle", func(client client.Interface, config io.Reader) (admission.Interface, error) {

-		return NewLifecycle()

+		return NewLifecycle(client)

 	})

 }

 type lifecycle struct {

+	client client.Interface

 }

 // Admit enforces that a namespace must exist in order to associate content with it.

@@ -56,7 +60,7 @@ func (e *lifecycle) Admit(a admission.Attributes) (err error) {

 	}

 	mapping, err := latest.RESTMapper.RESTMapping(kind, defaultVersion)

 	if err != nil {

-		return err

+		return admission.NewForbidden(a, err)

 	}

 	if mapping.Scope.Name() != meta.RESTScopeNameNamespace {

 		return nil

@@ -75,28 +79,54 @@ func (e *lifecycle) Admit(a admission.Attributes) (err error) {

 	projects, err := cache.GetProjectCache()

 	if err != nil {

-		return err

+		return admission.NewForbidden(a, err)

 	}

+

 	namespace, err := projects.GetNamespaceObject(a.GetNamespace())

 	if err != nil {

-		return apierrors.NewForbidden(kind, name, err)

+		return admission.NewForbidden(a, err)

 	}

 	if a.GetOperation() != "CREATE" {

 		return nil

 	}

-	if namespace.Status.Phase != kapi.NamespaceTerminating {

-		return nil

+	if namespace.Status.Phase == kapi.NamespaceTerminating {

+		return apierrors.NewForbidden(kind, name, fmt.Errorf("Namespace %s is terminating", a.GetNamespace()))

 	}

-	return apierrors.NewForbidden(kind, name, fmt.Errorf("namespace %s is terminating", a.GetNamespace()))

+	// in case of concurrency issues, we will retry this logic

+	numRetries := 10

+	interval := time.Duration(rand.Int63n(90)+int64(10)) * time.Millisecond

+	for retry := 1; retry <= numRetries; retry++ {

+

+		// associate this namespace with openshift

+		_, err = projectutil.Associate(e.client, namespace)

+		if err == nil {

+			break

+		}

+

+		// we have exhausted all reasonable efforts to retry so give up now

+		if retry == numRetries {

+			return admission.NewForbidden(a, err)

+		}

+

+		// get the latest namespace for the next pass in case of resource version updates

+		time.Sleep(interval)

+

+		// it's possible the namespace actually was deleted, so just forbid if this occurs

+		namespace, err = e.client.Namespaces().Get(a.GetNamespace())

+		if err != nil {

+			return admission.NewForbidden(a, err)

+		}

+	}

+	return nil

 }

 func (e *lifecycle) Handles(operation admission.Operation) bool {

 	return true

 }

-func NewLifecycle() (admission.Interface, error) {

-	return &lifecycle{}, nil

+func NewLifecycle(client client.Interface) (admission.Interface, error) {

+	return &lifecycle{client: client}, nil

 }

@@ -33,7 +33,7 @@ func TestAdmissionExists(t *testing.T) {

 		Err: fmt.Errorf("DOES NOT EXIST"),

 	}

 	projectcache.FakeProjectCache(mockClient, cache.NewStore(cache.MetaNamespaceKeyFunc), "")

-	handler := &lifecycle{}

+	handler := &lifecycle{client: mockClient}

 	build := &buildapi.Build{

 		ObjectMeta: kapi.ObjectMeta{Name: "buildid"},

 		Parameters: buildapi.BuildParameters{

@@ -75,7 +75,7 @@ func TestAdmissionLifecycle(t *testing.T) {

 	store.Add(namespaceObj)

 	mockClient := &testclient.Fake{}

 	projectcache.FakeProjectCache(mockClient, store, "")

-	handler := &lifecycle{}

+	handler := &lifecycle{client: mockClient}

 	build := &buildapi.Build{

 		ObjectMeta: kapi.ObjectMeta{Name: "buildid", Namespace: "other"},

 		Parameters: buildapi.BuildParameters{

@@ -13,7 +13,7 @@ type ProjectList struct {

 // These are internal finalizer values to Origin

 const (

-	FinalizerProject kapi.FinalizerName = "openshift.com/project"

+	FinalizerOrigin kapi.FinalizerName = "openshift.io/origin"

 )

 // ProjectSpec describes the attributes on a Project

@@ -13,7 +13,7 @@ type ProjectList struct {

 // These are internal finalizer values to Origin

 const (

-	FinalizerProject kapi.FinalizerName = "openshift.com/project"

+	FinalizerOrigin kapi.FinalizerName = "openshift.io/origin"

 )

 // ProjectSpec describes the attributes on a Project

@@ -13,7 +13,7 @@ type ProjectList struct {

 // These are internal finalizer values to Origin

 const (

-	FinalizerProject kapi.FinalizerName = "openshift.com/project"

+	FinalizerOrigin kapi.FinalizerName = "openshift.io/origin"

 )

 // ProjectSpec describes the attributes on a Project

@@ -13,7 +13,7 @@ type ProjectList struct {

 // These are internal finalizer values to Origin

 const (

-	FinalizerProject kapi.FinalizerName = "openshift.com/project"

+	FinalizerOrigin kapi.FinalizerName = "openshift.io/origin"

 )

 // ProjectSpec describes the attributes on a Project

@@ -5,9 +5,9 @@ import (

 	kclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/fields"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

+

 	osclient "github.com/openshift/origin/pkg/client"

-	"github.com/openshift/origin/pkg/project/api"

+	projectutil "github.com/openshift/origin/pkg/project/util"

 )

 // NamespaceController is responsible for participating in Kubernetes Namespace termination

@@ -33,7 +33,7 @@ func (c *NamespaceController) Handle(namespace *kapi.Namespace) (err error) {

 	}

 	// if we already processed this namespace, ignore it

-	if finalized(namespace) {

+	if projectutil.Finalized(namespace) {

 		return nil

 	}

@@ -44,7 +44,7 @@ func (c *NamespaceController) Handle(namespace *kapi.Namespace) (err error) {

 	}

 	// we have removed content, so mark it finalized by us

-	err = finalize(c.KubeClient, namespace)

+	_, err = projectutil.Finalize(c.KubeClient, namespace)

 	if err != nil {

 		return err

 	}

@@ -52,35 +52,6 @@ func (c *NamespaceController) Handle(namespace *kapi.Namespace) (err error) {

 	return nil

 }

-// finalized returns true if the spec.finalizers does not contain the project finalizer

-func finalized(namespace *kapi.Namespace) bool {

-	for i := range namespace.Spec.Finalizers {

-		if api.FinalizerProject == namespace.Spec.Finalizers[i] {

-			return false

-		}

-	}

-	return true

-}

-

-// finalize will finalize the namespace for kubernetes

-func finalize(kubeClient kclient.Interface, namespace *kapi.Namespace) error {

-	namespaceFinalize := kapi.Namespace{}

-	namespaceFinalize.ObjectMeta = namespace.ObjectMeta

-	namespaceFinalize.Spec = namespace.Spec

-	finalizerSet := util.NewStringSet()

-	for i := range namespace.Spec.Finalizers {

-		if namespace.Spec.Finalizers[i] != api.FinalizerProject {

-			finalizerSet.Insert(string(namespace.Spec.Finalizers[i]))

-		}

-	}

-	namespaceFinalize.Spec.Finalizers = make([]kapi.FinalizerName, 0, len(finalizerSet))

-	for _, value := range finalizerSet.List() {

-		namespaceFinalize.Spec.Finalizers = append(namespaceFinalize.Spec.Finalizers, kapi.FinalizerName(value))

-	}

-	_, err := kubeClient.Namespaces().Finalize(&namespaceFinalize)

-	return err

-}

-

 // deleteAllContent will purge all content in openshift in the specified namespace

 func deleteAllContent(client osclient.Interface, namespace string) (err error) {

 	err = deleteBuildConfigs(client, namespace)

@@ -25,7 +25,7 @@ func TestSyncNamespaceThatIsTerminating(t *testing.T) {

 			DeletionTimestamp: &now,

 		},

 		Spec: kapi.NamespaceSpec{

-			Finalizers: []kapi.FinalizerName{kapi.FinalizerKubernetes, api.FinalizerProject},

+			Finalizers: []kapi.FinalizerName{kapi.FinalizerKubernetes, api.FinalizerOrigin},

 		},

 		Status: kapi.NamespaceStatus{

 			Phase: kapi.NamespaceTerminating,

@@ -75,7 +75,7 @@ func TestSyncNamespaceThatIsActive(t *testing.T) {

 			ResourceVersion: "1",

 		},

 		Spec: kapi.NamespaceSpec{

-			Finalizers: []kapi.FinalizerName{kapi.FinalizerKubernetes, api.FinalizerProject},

+			Finalizers: []kapi.FinalizerName{kapi.FinalizerKubernetes, api.FinalizerOrigin},

 		},

 		Status: kapi.NamespaceStatus{

 			Phase: kapi.NamespaceActive,

@@ -29,16 +29,16 @@ func (projectStrategy) PrepareForCreate(obj runtime.Object) {

 	project := obj.(*api.Project)

 	hasProjectFinalizer := false

 	for i := range project.Spec.Finalizers {

-		if project.Spec.Finalizers[i] == api.FinalizerProject {

+		if project.Spec.Finalizers[i] == api.FinalizerOrigin {

 			hasProjectFinalizer = true

 			break

 		}

 	}

 	if !hasProjectFinalizer {

 		if len(project.Spec.Finalizers) == 0 {

-			project.Spec.Finalizers = []kapi.FinalizerName{api.FinalizerProject}

+			project.Spec.Finalizers = []kapi.FinalizerName{api.FinalizerOrigin}

 		} else {

-			project.Spec.Finalizers = append(project.Spec.Finalizers, api.FinalizerProject)

+			project.Spec.Finalizers = append(project.Spec.Finalizers, api.FinalizerOrigin)

 		}

 	}

 }

@@ -36,7 +36,7 @@ func TestProjectStrategy(t *testing.T) {

 		ObjectMeta: kapi.ObjectMeta{Name: "foo", ResourceVersion: "10"},

 	}

 	Strategy.PrepareForCreate(project)

-	if len(project.Spec.Finalizers) != 1 || project.Spec.Finalizers[0] != api.FinalizerProject {

+	if len(project.Spec.Finalizers) != 1 || project.Spec.Finalizers[0] != api.FinalizerOrigin {

 		t.Errorf("Prepare For Create should have added project finalizer")

 	}

 	errs := Strategy.Validate(ctx, project)

@@ -48,7 +48,7 @@ func TestProjectStrategy(t *testing.T) {

 	}

 	// ensure we copy spec.finalizers from old to new

 	Strategy.PrepareForUpdate(invalidProject, project)

-	if len(invalidProject.Spec.Finalizers) != 1 || invalidProject.Spec.Finalizers[0] != api.FinalizerProject {

+	if len(invalidProject.Spec.Finalizers) != 1 || invalidProject.Spec.Finalizers[0] != api.FinalizerOrigin {

 		t.Errorf("PrepareForUpdate should have preserved old.spec.finalizers")

 	}

 	errs = Strategy.ValidateUpdate(ctx, invalidProject, project)

new file mode 100644

@@ -0,0 +1,69 @@

+package util

+

+import (

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	kclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

+

+	"github.com/openshift/origin/pkg/project/api"

+)

+

+// Associated returns true if the spec.finalizers contains the origin finalizer

+func Associated(namespace *kapi.Namespace) bool {

+	for i := range namespace.Spec.Finalizers {

+		if api.FinalizerOrigin == namespace.Spec.Finalizers[i] {

+			return true

+		}

+	}

+	return false

+}

+

+// Associate adds the origin finalizer to spec.finalizers if its not there already

+func Associate(kubeClient kclient.Interface, namespace *kapi.Namespace) (*kapi.Namespace, error) {

+	if Associated(namespace) {

+		return namespace, nil

+	}

+	return finalizeInternal(kubeClient, namespace, true)

+}

+

+// Finalized returns true if the spec.finalizers does not contain the origin finalizer

+func Finalized(namespace *kapi.Namespace) bool {

+	for i := range namespace.Spec.Finalizers {

+		if api.FinalizerOrigin == namespace.Spec.Finalizers[i] {

+			return false

+		}

+	}

+	return true

+}

+

+// Finalize will remove the origin finalizer from the namespace

+func Finalize(kubeClient kclient.Interface, namespace *kapi.Namespace) (*kapi.Namespace, error) {

+	if Finalized(namespace) {

+		return namespace, nil

+	}

+	return finalizeInternal(kubeClient, namespace, false)

+}

+

+// finalizeInternal will update the namespace finalizer list to either have or not have origin finalizer

+func finalizeInternal(kubeClient kclient.Interface, namespace *kapi.Namespace, withOrigin bool) (*kapi.Namespace, error) {

+	namespaceFinalize := kapi.Namespace{}

+	namespaceFinalize.ObjectMeta = namespace.ObjectMeta

+	namespaceFinalize.Spec = namespace.Spec

+

+	finalizerSet := util.NewStringSet()

+	for i := range namespace.Spec.Finalizers {

+		finalizerSet.Insert(string(namespace.Spec.Finalizers[i]))

+	}

+

+	if withOrigin {

+		finalizerSet.Insert(string(api.FinalizerOrigin))

+	} else {

+		finalizerSet.Delete(string(api.FinalizerOrigin))

+	}

+

+	namespaceFinalize.Spec.Finalizers = make([]kapi.FinalizerName, 0, len(finalizerSet))

+	for _, value := range finalizerSet.List() {

+		namespaceFinalize.Spec.Finalizers = append(namespaceFinalize.Spec.Finalizers, kapi.FinalizerName(value))

+	}

+	return kubeClient.Namespaces().Finalize(&namespaceFinalize)

+}