we’re using Rancher 2.5.9 and we need one or a few read-only (get/list/watch) roles for a few people, who are supposed to be able to read/see everything but secrets.
Most promising was a combination of * for Resource and API Groups at a global level and the cluster view roles combined (View All Projects, Cluster Catalogs, Members, Nodes) for each cluster, except local. Now everything looked fine except local, where no matter what we did, as long as we used the mentioned global role, the users could see local secrets.
On the other hand having only a global role with the 70+ suggested/ global resources did nothing at all. Permissions were basically the same as the user-base role, seeing nothing at all.
We’re out of ideas, is there actually even a reasonable possibilty to set the roles for something like this?