Securing cloud_provider credentials


#1

Hello.

We deployed the latest rancher:v2.1.6 three node HA setup and used that one to successfully create a workload cluster with k8s v1.11.6 for us in OpenStack with Node Templates. Then we configured the openstack cloud_provider in that workload cluster using Stack/Edit/Edit as Yaml. Everything is working nicely.

Now I needed to make sure people can start using the cluster without getting their hands on the OpenStack service accounts I used there. Nice thing, a user with only View/Manage Nodes was able to press the “+” button and add more workers to k8s whereas the Node Template was sitting in the admin user’s profile and was not visible by the regular user.

Unfortunately however I was not able to secure the password for cloud_provider. As long as a user has even minimal permissions to the cluster (i.e. “Login Access” in global + nothing in cluster + “View Workloads” in a project), such user is able to click “View in API” on the cluster and the resulting json shows all the credentials.

I wonder if it’s just me or not, and whether anything can be done about it and if I should open a bug report for this one?

Thank you,
Anthony