Users assigned the Project Owner or Member role on a project are able to create namespaces on any project, in the same cluster, to which they have access

Follow
Table of Contents

Issue

A user assigned the Project Owner or Member role on one project is able to create namespaces on any project, in the same cluster, to which they have access.

For example, if a user has been granted the Project Member role on a Project named Dev in a cluster, and the Read-only role on a project named Test in that cluster, they will be able to create namespaces on both the Dev and Test projects.

Pre-requisites

  • A cluster managed by Rancher v2.x
  • A user granted the Project Member or Owner role on one project, and access e.g. the Read-only role, on another project

Explanation

Per the caveat explanation in the Rancher v2.x documentation:

Users assigned the Owner or Member role for a project automatically inherit the namespace creation role. However, this role is a Kubernetes ClusterRole, meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the owner or member role for a project can create namespaces in other projects they’re assigned to, even with only the Read Only role assigned.

Further Reading

Read more on Cluster and Project Roles in the Rancher v2.x. documentation.

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.