Users assigned the Project Owner or Member role on a project are able to create namespaces on any project, in the same cluster, to which they have access
This document (000020205) is provided subject to the disclaimer at the end of this document.
Situation
Issue
A user assigned the Project Owner or Member role on one project is able to create namespaces on any project, in the same cluster, to which they have access.
For example, if a user has been granted the Project Member role on a Project named Dev in a cluster, and the Read-only role on a project named Test in that cluster, they will be able to create namespaces on both the Dev and Test projects.
Pre-requisites
- A cluster managed by Rancher v2.x
- A user granted the Project Member or Owner role on one project, and access e.g. the Read-only role, on another project
Explanation
Per the caveat explanation in the Rancher v2.x documentation:
Users assigned the Owner or Member role for a project automatically inherit the namespace creation role. However, this role is a Kubernetes ClusterRole, meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the owner or member role for a project can create namespaces in other projects they’re assigned to, even with only the Read Only role assigned.
Further Reading
Read more on Cluster and Project Roles in the Rancher v2.x. documentation.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020205
- Creation Date: 06-May-2021
- Modified Date:06-May-2021
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
