Rancher Permissions in Projects

#1

Hi All,

I’m using Rancher 2.1.8 and creating a Rancher Project with Kubernetes Namespaces. These Projects are managed by an individual called a Tech Lead.

The Tech Lead has the effective permissions of Member + User Modification.

I have created a custom set of permissions for Projects called “Tech Lead” which reflects the above permissions.

There is a privilege escalation issue, where the Tech Lead can add a new user to the Project, and can add the new user at any level including Privileges above their own level (Owner etc)

How can we prevent this Privilege Escalation?

#2

Currently, the only thing you could do would be to disable the Project Owner role. This would mean that that role could no longer be assigned by anyone to anyone.

#3

Thanks very much for that, i’ll give it a shot!

#4

That’s worked a charm (hiding the other permissions) – thank you so much for your help there!

I have another couple of questions:

  • How can I disable the “Execute CLI” functionality for a particular role?
    – (We have Developers and Testers. Testers are not supposed to modify their Containers as it invalidates tests)
  • How can I allow a Developer to scale/restart their Container but not modify the settings/parameters?
    – ( We are using Templated Deployments and using ISTIO Ingress Gateway which will break if modified )
#5

Was there any update on this?

It would be great to have a toggle for the “Execute CLI” feature somehow

#6

Exec is the create verb for the pods/exec resource. Roles are strictly additive, so you’d have to make a role that doesn’t have that and assign it to developers.

#7

Hi Vincent, thanks so much for that

I’ll start work on another permission group for the Testers so they do not have that specific permission

Is this all available through the Rancher Project permission system, or is this a Kubernetes role?