Securing cloud_provider credentials

Hello.

We deployed the latest rancher:v2.1.6 three node HA setup and used that one to successfully create a workload cluster with k8s v1.11.6 for us in OpenStack with Node Templates. Then we configured the openstack cloud_provider in that workload cluster using Stack/Edit/Edit as Yaml. Everything is working nicely.

Now I needed to make sure people can start using the cluster without getting their hands on the OpenStack service accounts I used there. Nice thing, a user with only View/Manage Nodes was able to press the “+” button and add more workers to k8s whereas the Node Template was sitting in the admin user’s profile and was not visible by the regular user.

Unfortunately however I was not able to secure the password for cloud_provider. As long as a user has even minimal permissions to the cluster (i.e. “Login Access” in global + nothing in cluster + “View Workloads” in a project), such user is able to click “View in API” on the cluster and the resulting json shows all the credentials.

I wonder if it’s just me or not, and whether anything can be done about it and if I should open a bug report for this one?

Thank you,
Anthony

I tested that the same happens with Rancher v2.2.1 and opened this issue https://github.com/rancher/rancher/issues/19653

For now, the workaround is creating clusters with RKE and importing them to Rancher and avoid using the ones created by Node driver or as Custom cluster.

Thank you Team Rancher for a quick resolution to this issue. The code has now been merged to master so I believe we would see this password hidden from us in release 2.2.3