Group permissions on cluster level with active directory

Rancher 2.x
1

Hi All!

I’m trying to allow users inside a group to use kubectl and I’m getting the error below:

> kubectl get pods -n namespace
Error from server (InternalError): an error on the server ("{\"Code\":{\"Code\":\"ServerError\",\"Status\":500},\"Message\":\"Forbidden 403: clusters.management.cattle.io \\\"c-6nfmd\\\" is forbidden: User \\\"user-k5446\\\" cannot get clusters.management.cattle.io at the cluster scope\",\"Cause\":null,\"FieldName\":\"\"}") has prevented the request from succeeding

But when I specify a user it works.

This is the roles I have:

image
image1411×878 43.6 KB

image
image1407×861 32.2 KB

And…

image
image1416×541 24.5 KB

The active directory group contains 5 users, but it don’t look at the members of the group, it uses the second role (NG-PROJECT-MANAGER-CLUSTER).

The same group works perfectly when I need to allow access just to a specific project using the firts role.

Thanks.

2

What version of Rancher are you running?

3

Hi,

I’m using 2.0.2.

I’ve tried 2.0.3 and 2.0.4 but i’ve received too many 502, 503 and 504 errors and I decided to rollback to 2.0.2.

Thanks.

4

Ok, this is a known issue in 2.0.2 and was fixed in 2.0.3. See: Release Release v2.0.3 · rancher/rancher · GitHub

Fixed an issue where giving permissions using AD groups were not providing correct permissions to users for kubectl [#13778]

(note that the issue applied to all auth providers not just AD as the title indicated)

I realize that puts you between a rock and a hard place. I suggest opening another forum post or better yet github issue to get help resolving the 50Xs.

1 Like