Kubernetes and Rancher RBACs role mapping

Hi All,

I am trying to provide a reasonable level of access to our Developers that includes the ability to View all status and logs, execute shell and scale up/down their Deployments but not to edit the deployment itself as we are generating templated Deployments and exposing them with Istio

Running Rancher 2.1.8 as a Docker container

I have dug pretty deep in to the Kubernetes ClusterRoles within the Rancher container and created a custom one named “developer” but it is not showing up as a Rancher Role that can be inherited.
Kubernetes View, Read-Only, Edit and Admin are showing up but not the Developer role that I have created.

How would I map this custom Kubernetes ClusterRole to a Rancher Project Role?

Second question:

I have noticed that in a Rancher Project Role you can add in specific Kubernetes ClusterRole settings such as “pods/exec” and “deployments/scale”. The “pods/exec” seems to be working correctly, however the “deployments/scale” does not seem to work.

I assigned a user to a Project with the Rancher Project Role, logged out, logged in as that user and attempted to scale down a Deployment and was Denied with the error message

" Error updating scale deployments.apps “rm-dev-nso-cfs-deployment” is forbidden: User “u-3anxqzucwx” cannot update resource “deployments” in API group “apps” in the namespace “rm-dev”"

Does the kubernetes role deployments/scaling require update access to the deployments role also?

Many thanks,

1 Like