Authorisation on namespaced resource

I play around with rancher dashboard, but really lost with user and permissions setting.
I read somewhere that in rancher, users permissions are set for cluster or project. However if I wanna set user permissions on particular resource in a namespace, is that possible in rancher? As I can see that k8s RBAC can do this by defining role and rolebinding. But I could not find anywhere to bind a user to k8s roles, if this possible, did I miss somehting?

You can use the normal Kubernetes RBAC in Rancher to the best of my knowledge, so you should be able to do the same kubectl commands to make it work in a Rancher downstream (or local I guess).

So life is back to plain but stable kubectl. No fancy UI for this. Anyone have a nice walkthrough for this? for example, how to find out service account (if there is one) of the user?

@BedamatiMohanty Lost even further :sweat_smile:

I don’t have any walkthroughs, haven’t started mucking with it much myself. If you drive down through the cluster explorer there is an RBAC section that I think you can do all this through the UI, but I’m not sure if it’ll save you much time or effort since it’s kinda’ buried so may be more “here’s a GUI form for the CLI thing” rather than offering much help, though once again, I haven’t looked.

description: user1
displayName: user1
enabled: true
kind: User
  annotations: user-hrfkn "true"
  generateName: u-
  generation: 3
  labels: norman
  name: u-vg5kr
  resourceVersion: "2014100"
  uid: bf2d3be4-11b5-4912-a577-f85a55bea492
password: $2a$10$pGNE8/0IQ.KGpcf6DpOnAuDMuHXTKAzd2JbPD6J88h14ro3lBXoWq
- local://u-vg5kr
spec: {}
username: user1

The problem is that clusterrolebinding/rolebinding bind SA to role. Rancher user account is not a SA, who It can be converted into an SA and use in rolebindings?

Oh, user can also used as sa, right?

Unsure as I haven’t really done anything with this. There do end up being more Rancher folks looking at questions on Slack than here, so you might try asking there if you don’t get anything on your debugging or someone popping in here.