From 79fa5db7f43202028ac24ed36fe24090af79e8e6 Mon Sep 17 00:00:00 2001 From: Dan Ramich Date: Thu, 13 Sep 2018 16:44:24 -0700 Subject: [PATCH 1/4] Update _index.md --- .../en/admin-settings/rbac/cluster-project-roles/_index.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md index e78abc06b00..87e76579ec2 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md @@ -60,6 +60,9 @@ _Project roles_ are roles that can be used to grant users access to a project. T - **Read Only:** These users can view everything in the project but cannot create, update, or delete anything. + + > **Note:** If a user is added to a project as an owner or a member they will have permission to create namespaces in all projects they are a member of, even as a Read Only member. + #### Custom Project Roles @@ -142,4 +145,4 @@ When you revoke the cluster membership for a user that's explicitly assigned mem - Access the projects they hold membership in. - Exercise any [individual project roles](#project-role-reference) they are assigned. -If you want to completely revoke a user's access within a cluster, revoke both their cluster and project memberships. \ No newline at end of file +If you want to completely revoke a user's access within a cluster, revoke both their cluster and project memberships. From 031f829fcb3ceb638407a9a711400b1a178f77e0 Mon Sep 17 00:00:00 2001 From: Mark Bishop Date: Thu, 27 Sep 2018 17:20:28 -0700 Subject: [PATCH 2/4] adding note about Kubernetes permissions quirk --- .../rbac/cluster-project-roles/_index.md | 2 +- .../projects-and-namespaces/_index.md | 7 +++++-- .../editing-projects/_index.md | 13 ++++++++----- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md index 87e76579ec2..559d38ed8c1 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md @@ -61,7 +61,7 @@ _Project roles_ are roles that can be used to grant users access to a project. T These users can view everything in the project but cannot create, update, or delete anything. - > **Note:** If a user is added to a project as an owner or a member they will have permission to create namespaces in all projects they are a member of, even as a Read Only member. + > **Note:** Because of how Kubernetes handles permissions, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. #### Custom Project Roles diff --git a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md index 8b9a98b27e2..0009d0da5ac 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md @@ -102,8 +102,11 @@ Rancher extends Kubernetes to allow the application of [Pod Security Policies](h 1. From the **Role** drop-down, choose a role. [What are Roles?]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) - - >**Tip:** Choose Custom to create a custom role on the fly: [Custom Project Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). + + > **Notes:** + > + >- Because of how Kubernetes handles permissions, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. + >- Choose `Custom` to create a custom role on the fly: [Custom Project Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). 1. To add more members, repeat substeps a—c. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md index 80528c29e41..4e12d2d229e 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md @@ -35,11 +35,14 @@ Following project creation, you can add users as project members so that they ca [What are Project Roles?]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) - >**Tip:** For Custom Roles, you can modify the list of individual roles available for assignment. - > - > - To add roles to the list, [Add a Custom Role]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles). - > - To remove roles from the list, [Lock/Unlock Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/locked-roles/). - + > **Notes:** + > + >- Because of how Kubernetes handles permissions, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. + >- For `Custom` roles, you can modify the list of individual roles available for assignment. + > + > - To add roles to the list, [Add a Custom Role]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles). + > - To remove roles from the list, [Lock/Unlock Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/locked-roles/). + **Result:** The chosen users are added to the project. - To revoke project membership, select the user and click **Delete**. This action deletes membership, not the user. From 15626e45fe0ad65ab6b9605d461750c020b1d095 Mon Sep 17 00:00:00 2001 From: Mark Bishop Date: Thu, 27 Sep 2018 23:31:20 -0700 Subject: [PATCH 3/4] improved note --- .../v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md | 2 +- .../v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md | 2 +- .../projects-and-namespaces/editing-projects/_index.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md index 559d38ed8c1..f593fdb9701 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md @@ -61,7 +61,7 @@ _Project roles_ are roles that can be used to grant users access to a project. T These users can view everything in the project but cannot create, update, or delete anything. - > **Note:** Because of how Kubernetes handles permissions, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. + > **Note:** Because the `namespace creation` role is a Kubernetes cluster-level permission, it cannot be controlled per project. Therefore, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. #### Custom Project Roles diff --git a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md index 0009d0da5ac..41235a7fec4 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md @@ -105,7 +105,7 @@ Rancher extends Kubernetes to allow the application of [Pod Security Policies](h > **Notes:** > - >- Because of how Kubernetes handles permissions, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. + >- Because the `namespace creation` role is a Kubernetes cluster-level permission, it cannot be controlled per project. Therefore, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. >- Choose `Custom` to create a custom role on the fly: [Custom Project Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). 1. To add more members, repeat substeps a—c. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md index 4e12d2d229e..455f24528f5 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md @@ -37,7 +37,7 @@ Following project creation, you can add users as project members so that they ca > **Notes:** > - >- Because of how Kubernetes handles permissions, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. + >- Because the `namespace creation` role is a Kubernetes cluster-level permission, it cannot be controlled per project. Therefore, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. >- For `Custom` roles, you can modify the list of individual roles available for assignment. > > - To add roles to the list, [Add a Custom Role]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles). From b116d6c6f0575e8ac3fab616b384672e0fcfad8f Mon Sep 17 00:00:00 2001 From: Mark Bishop Date: Fri, 28 Sep 2018 17:56:20 -0700 Subject: [PATCH 4/4] updating note --- .../en/admin-settings/rbac/cluster-project-roles/_index.md | 4 +++- .../en/k8s-in-rancher/projects-and-namespaces/_index.md | 7 ++++--- .../projects-and-namespaces/editing-projects/_index.md | 5 +++-- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md index f593fdb9701..7bb710547c3 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md @@ -61,7 +61,9 @@ _Project roles_ are roles that can be used to grant users access to a project. T These users can view everything in the project but cannot create, update, or delete anything. - > **Note:** Because the `namespace creation` role is a Kubernetes cluster-level permission, it cannot be controlled per project. Therefore, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. + >**Caveat:** + > + >Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `owner` or `member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. #### Custom Project Roles diff --git a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md index 41235a7fec4..61acf95e4de 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/_index.md @@ -100,12 +100,13 @@ Rancher extends Kubernetes to allow the application of [Pod Security Policies](h >**Note:** You can only search for groups if external authentication is enabled. 1. From the **Role** drop-down, choose a role. - + [What are Roles?]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) - > **Notes:** + >**Notes:** + > + >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. > - >- Because the `namespace creation` role is a Kubernetes cluster-level permission, it cannot be controlled per project. Therefore, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. >- Choose `Custom` to create a custom role on the fly: [Custom Project Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). 1. To add more members, repeat substeps a—c. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md index 455f24528f5..20391af00e9 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/_index.md @@ -35,9 +35,10 @@ Following project creation, you can add users as project members so that they ca [What are Project Roles?]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) - > **Notes:** + >**Notes:** + > + >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. > - >- Because the `namespace creation` role is a Kubernetes cluster-level permission, it cannot be controlled per project. Therefore, if you add a user to a project and assign them the `Owner` or `Member` role within its scope, that user can create namespaces in _any_ project they hold membership in, even as a `Read Only` member. >- For `Custom` roles, you can modify the list of individual roles available for assignment. > > - To add roles to the list, [Add a Custom Role]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles).