diff --git a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md index e78abc06b00..7bb710547c3 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md @@ -60,6 +60,11 @@ _Project roles_ are roles that can be used to grant users access to a project. T - **Read Only:** These users can view everything in the project but cannot create, update, or delete anything. + + >**Caveat:** + > + >Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `owner` or `member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. + #### Custom Project Roles @@ -142,4 +147,4 @@ When you revoke the cluster membership for a user that's explicitly assigned mem - Access the projects they hold membership in. - Exercise any [individual project roles](#project-role-reference) they are assigned. -If you want to completely revoke a user's access within a cluster, revoke both their cluster and project memberships. \ No newline at end of file +If you want to completely revoke a user's access within a cluster, revoke both their cluster and project memberships. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md index 8b9a98b27e2..61acf95e4de 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md @@ -100,10 +100,14 @@ Rancher extends Kubernetes to allow the application of [Pod Security Policies](h >**Note:** You can only search for groups if external authentication is enabled. 1. From the **Role** drop-down, choose a role. - + [What are Roles?]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) - - >**Tip:** Choose Custom to create a custom role on the fly: [Custom Project Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). + + >**Notes:** + > + >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. + > + >- Choose `Custom` to create a custom role on the fly: [Custom Project Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). 1. To add more members, repeat substeps a—c. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md index 80528c29e41..20391af00e9 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md @@ -35,11 +35,15 @@ Following project creation, you can add users as project members so that they ca [What are Project Roles?]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) - >**Tip:** For Custom Roles, you can modify the list of individual roles available for assignment. - > - > - To add roles to the list, [Add a Custom Role]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles). - > - To remove roles from the list, [Lock/Unlock Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/locked-roles/). - + >**Notes:** + > + >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. + > + >- For `Custom` roles, you can modify the list of individual roles available for assignment. + > + > - To add roles to the list, [Add a Custom Role]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles). + > - To remove roles from the list, [Lock/Unlock Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/locked-roles/). + **Result:** The chosen users are added to the project. - To revoke project membership, select the user and click **Delete**. This action deletes membership, not the user.