I’m using Rancher 2.1.8 and creating a Rancher Project with Kubernetes Namespaces. These Projects are managed by an individual called a Tech Lead.
The Tech Lead has the effective permissions of Member + User Modification.
I have created a custom set of permissions for Projects called “Tech Lead” which reflects the above permissions.
There is a privilege escalation issue, where the Tech Lead can add a new user to the Project, and can add the new user at any level including Privileges above their own level (Owner etc)
How can we prevent this Privilege Escalation?