I’m using Rancher 2.1.8 and creating a Rancher Project with Kubernetes Namespaces. These Projects are managed by an individual called a Tech Lead.
The Tech Lead has the effective permissions of Member + User Modification.
I have created a custom set of permissions for Projects called “Tech Lead” which reflects the above permissions.
There is a privilege escalation issue, where the Tech Lead can add a new user to the Project, and can add the new user at any level including Privileges above their own level (Owner etc)
Currently, the only thing you could do would be to disable the Project Owner role. This would mean that that role could no longer be assigned by anyone to anyone.
That’s worked a charm (hiding the other permissions) – thank you so much for your help there!
I have another couple of questions:
How can I disable the “Execute CLI” functionality for a particular role?
– (We have Developers and Testers. Testers are not supposed to modify their Containers as it invalidates tests)
How can I allow a Developer to scale/restart their Container but not modify the settings/parameters?
– ( We are using Templated Deployments and using ISTIO Ingress Gateway which will break if modified )
Exec is the create verb for the pods/exec resource. Roles are strictly additive, so you’d have to make a role that doesn’t have that and assign it to developers.