From b1228e8330f9212e95c9b7aeb9bf1ab002b16e40 Mon Sep 17 00:00:00 2001 From: Jen Travinski Date: Wed, 8 Dec 2021 18:47:01 -0500 Subject: [PATCH] Added notes about project-member ability to delete ns (#3709) * Added note on project member scope * Added note about ability to delete as well as create NS * Added note on project member scope in 2.6 also * Added note about ability to delete as well as create NS in 2.6 * Updated roles and notes in 2.5, 2.6 per feedback * Removing note from page, keeping chart updates per feedback * Added note about deletion ability in 3 pages for 2.5 * Removing note from page, keeping chart updates per feedback in 2.6 * Removed asterisks as they had pertained to a note that was removed in 2.5, 2.6 * Added note about deletion ability in 3 pages for 2.6, updated spacing and note position in 2.5 * Added note about deletion ability in 3 pages for v2.0-v2.4 --- .../en/admin-settings/rbac/cluster-project-roles/_index.md | 4 ++++ .../en/cluster-admin/projects-and-namespaces/_index.md | 3 +++ .../v2.0-v2.4/en/project-admin/project-members/_index.md | 2 ++ .../en/admin-settings/rbac/cluster-project-roles/_index.md | 5 ++++- .../v2.5/en/cluster-admin/projects-and-namespaces/_index.md | 3 +++ content/rancher/v2.5/en/monitoring-alerting/rbac/_index.md | 4 ++-- .../rancher/v2.5/en/project-admin/project-members/_index.md | 2 ++ .../en/admin-settings/rbac/cluster-project-roles/_index.md | 5 ++++- .../v2.6/en/cluster-admin/projects-and-namespaces/_index.md | 3 +++ content/rancher/v2.6/en/monitoring-alerting/rbac/_index.md | 4 ++-- .../rancher/v2.6/en/project-admin/project-members/_index.md | 4 +++- 11 files changed, 32 insertions(+), 7 deletions(-) diff --git a/content/rancher/v2.0-v2.4/en/admin-settings/rbac/cluster-project-roles/_index.md b/content/rancher/v2.0-v2.4/en/admin-settings/rbac/cluster-project-roles/_index.md index 6185daa0bee..6e155df7033 100644 --- a/content/rancher/v2.0-v2.4/en/admin-settings/rbac/cluster-project-roles/_index.md +++ b/content/rancher/v2.0-v2.4/en/admin-settings/rbac/cluster-project-roles/_index.md @@ -84,6 +84,10 @@ _Project roles_ are roles that can be used to grant users access to a project. T These users can manage project-scoped resources like namespaces and workloads, but cannot manage other project members. + >**Note:** + > + >By default, the Rancher role of `project-member` inherits from the `Kubernetes-edit` role, and the `project-owner` role inherits from the `Kubernetes-admin` role. As such, both `project-member` and `project-owner` roles will allow for namespace management, including the ability to create and delete namespaces. + - **Read Only:** These users can view everything in the project but cannot create, update, or delete anything. diff --git a/content/rancher/v2.0-v2.4/en/cluster-admin/projects-and-namespaces/_index.md b/content/rancher/v2.0-v2.4/en/cluster-admin/projects-and-namespaces/_index.md index 9774a89c470..545de58bf84 100644 --- a/content/rancher/v2.0-v2.4/en/cluster-admin/projects-and-namespaces/_index.md +++ b/content/rancher/v2.0-v2.4/en/cluster-admin/projects-and-namespaces/_index.md @@ -162,6 +162,9 @@ By default, your user is added as the project `Owner`. >**Notes on Permissions:** > >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. +> +>- By default, the Rancher role of `project-member` inherits from the `Kubernetes-edit` role, and the `project-owner` role inherits from the `Kubernetes-admin` role. As such, both `project-member` and `project-owner` roles will allow for namespace management, including the ability to create and delete namespaces. +> >- Choose `Custom` to create a custom role on the fly: [Custom Project Roles]({{}}/rancher/v2.0-v2.4/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). To add members: diff --git a/content/rancher/v2.0-v2.4/en/project-admin/project-members/_index.md b/content/rancher/v2.0-v2.4/en/project-admin/project-members/_index.md index 47f4c7eddfe..a0a4a0922d7 100644 --- a/content/rancher/v2.0-v2.4/en/project-admin/project-members/_index.md +++ b/content/rancher/v2.0-v2.4/en/project-admin/project-members/_index.md @@ -42,6 +42,8 @@ Following project creation, you can add users as project members so that they ca > >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. > + >- By default, the Rancher role of `project-member` inherits from the `Kubernetes-edit` role, and the `project-owner` role inherits from the `Kubernetes-admin` role. As such, both `project-member` and `project-owner` roles will allow for namespace management, including the ability to create and delete namespaces. + > >- For `Custom` roles, you can modify the list of individual roles available for assignment. > > - To add roles to the list, [Add a Custom Role]({{}}/rancher/v2.0-v2.4/en/admin-settings/rbac/default-custom-roles). diff --git a/content/rancher/v2.5/en/admin-settings/rbac/cluster-project-roles/_index.md b/content/rancher/v2.5/en/admin-settings/rbac/cluster-project-roles/_index.md index 6c82e42e726..4996f82ab54 100644 --- a/content/rancher/v2.5/en/admin-settings/rbac/cluster-project-roles/_index.md +++ b/content/rancher/v2.5/en/admin-settings/rbac/cluster-project-roles/_index.md @@ -86,6 +86,10 @@ _Project roles_ are roles that can be used to grant users access to a project. T These users can manage project-scoped resources like namespaces and workloads, but cannot manage other project members. + >**Note:** + > + >By default, the Rancher role of `project-member` inherits from the `Kubernetes-edit` role, and the `project-owner` role inherits from the `Kubernetes-admin` role. As such, both `project-member` and `project-owner` roles will allow for namespace management, including the ability to create and delete namespaces. + - **Read Only:** These users can view everything in the project but cannot create, update, or delete anything. @@ -94,7 +98,6 @@ _Project roles_ are roles that can be used to grant users access to a project. T > >Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `owner` or `member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. - #### Custom Project Roles Rancher lets you assign _custom project roles_ to a standard user instead of the typical `Owner`, `Member`, or `Read Only` roles. These roles can be either a built-in custom project role or one defined by a Rancher administrator. They are convenient for defining narrow or specialized access for a standard user within a project. See the table below for a list of built-in custom project roles. diff --git a/content/rancher/v2.5/en/cluster-admin/projects-and-namespaces/_index.md b/content/rancher/v2.5/en/cluster-admin/projects-and-namespaces/_index.md index 86c6574c224..493331bc93c 100644 --- a/content/rancher/v2.5/en/cluster-admin/projects-and-namespaces/_index.md +++ b/content/rancher/v2.5/en/cluster-admin/projects-and-namespaces/_index.md @@ -156,6 +156,9 @@ By default, your user is added as the project `Owner`. >**Notes on Permissions:** > >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. +> +>- By default, the Rancher role of `project-member` inherits from the `Kubernetes-edit` role, and the `project-owner` role inherits from the `Kubernetes-admin` role. As such, both `project-member` and `project-owner` roles will allow for namespace management, including the ability to create and delete namespaces. +> >- Choose `Custom` to create a custom role on the fly: [Custom Project Roles]({{}}/rancher/v2.5/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). To add members: diff --git a/content/rancher/v2.5/en/monitoring-alerting/rbac/_index.md b/content/rancher/v2.5/en/monitoring-alerting/rbac/_index.md index 4bc0e009c2a..3260cf8cf95 100644 --- a/content/rancher/v2.5/en/monitoring-alerting/rbac/_index.md +++ b/content/rancher/v2.5/en/monitoring-alerting/rbac/_index.md @@ -128,8 +128,8 @@ The relationship between the default roles deployed by Rancher Cluster Manager ( | --------- | --------- | --------- | --------- | | cluster-owner | cluster-admin | N/A | ClusterRoleBinding | | cluster-member | admin | monitoring-admin | ClusterRoleBinding | -| project-owner | edit | monitoring-admin | RoleBinding within Project namespace | -| project-member | view | monitoring-edit | RoleBinding within Project namespace | +| project-owner | admin | monitoring-admin | RoleBinding within Project namespace | +| project-member | edit | monitoring-edit | RoleBinding within Project namespace | In addition to these default Roles, the following additional Rancher project roles can be applied to members of your Cluster to provide additional access to Monitoring. These Rancher Roles will be tied to ClusterRoles deployed by the Monitoring chart: diff --git a/content/rancher/v2.5/en/project-admin/project-members/_index.md b/content/rancher/v2.5/en/project-admin/project-members/_index.md index a8476db8ec8..45a149e90ea 100644 --- a/content/rancher/v2.5/en/project-admin/project-members/_index.md +++ b/content/rancher/v2.5/en/project-admin/project-members/_index.md @@ -43,6 +43,8 @@ Following project creation, you can add users as project members so that they ca > >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. > + >- By default, the Rancher role of `project-member` inherits from the `Kubernetes-edit` role, and the `project-owner` role inherits from the `Kubernetes-admin` role. As such, both `project-member` and `project-owner` roles will allow for namespace management, including the ability to create and delete namespaces. + > >- For `Custom` roles, you can modify the list of individual roles available for assignment. > > - To add roles to the list, [Add a Custom Role]({{}}/rancher/v2.5/en/admin-settings/rbac/default-custom-roles). diff --git a/content/rancher/v2.6/en/admin-settings/rbac/cluster-project-roles/_index.md b/content/rancher/v2.6/en/admin-settings/rbac/cluster-project-roles/_index.md index c966d787383..022b08762ce 100644 --- a/content/rancher/v2.6/en/admin-settings/rbac/cluster-project-roles/_index.md +++ b/content/rancher/v2.6/en/admin-settings/rbac/cluster-project-roles/_index.md @@ -111,6 +111,10 @@ _Project roles_ are roles that can be used to grant users access to a project. T These users can manage project-scoped resources like namespaces and workloads, but cannot manage other project members. + >**Note:** + > + >By default, the Rancher role of `project-member` inherits from the `Kubernetes-edit` role, and the `project-owner` role inherits from the `Kubernetes-admin` role. As such, both `project-member` and `project-owner` roles will allow for namespace management, including the ability to create and delete namespaces. + - **Read Only:** These users can view everything in the project but cannot create, update, or delete anything. @@ -119,7 +123,6 @@ _Project roles_ are roles that can be used to grant users access to a project. T > >Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `owner` or `member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. - #### Custom Project Roles Rancher lets you assign _custom project roles_ to a standard user instead of the typical `Owner`, `Member`, or `Read Only` roles. These roles can be either a built-in custom project role or one defined by a Rancher administrator. They are convenient for defining narrow or specialized access for a standard user within a project. See the table below for a list of built-in custom project roles. diff --git a/content/rancher/v2.6/en/cluster-admin/projects-and-namespaces/_index.md b/content/rancher/v2.6/en/cluster-admin/projects-and-namespaces/_index.md index 79fc054dc21..d1ae03863b4 100644 --- a/content/rancher/v2.6/en/cluster-admin/projects-and-namespaces/_index.md +++ b/content/rancher/v2.6/en/cluster-admin/projects-and-namespaces/_index.md @@ -152,6 +152,9 @@ By default, your user is added as the project `Owner`. >**Notes on Permissions:** > >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. +> +>- By default, the Rancher role of `project-member` inherits from the `Kubernetes-edit` role, and the `project-owner` role inherits from the `Kubernetes-admin` role. As such, both `project-member` and `project-owner` roles will allow for namespace management, including the ability to create and delete namespaces. +> >- Choose `Custom` to create a custom role on the fly: [Custom Project Roles]({{}}/rancher/v2.6/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). To add members: diff --git a/content/rancher/v2.6/en/monitoring-alerting/rbac/_index.md b/content/rancher/v2.6/en/monitoring-alerting/rbac/_index.md index ba487525225..e025b733e64 100644 --- a/content/rancher/v2.6/en/monitoring-alerting/rbac/_index.md +++ b/content/rancher/v2.6/en/monitoring-alerting/rbac/_index.md @@ -124,8 +124,8 @@ The relationship between the default roles deployed by Rancher (i.e. cluster-own | --------- | --------- | --------- | --------- | | cluster-owner | cluster-admin | N/A | ClusterRoleBinding | | cluster-member | admin | monitoring-admin | ClusterRoleBinding | -| project-owner | edit | monitoring-admin | RoleBinding within Project namespace | -| project-member | view | monitoring-edit | RoleBinding within Project namespace | +| project-owner | admin | monitoring-admin | RoleBinding within Project namespace | +| project-member | edit | monitoring-edit | RoleBinding within Project namespace | In addition to these default Roles, the following additional Rancher project roles can be applied to members of your Cluster to provide additional access to Monitoring. These Rancher Roles will be tied to ClusterRoles deployed by the Monitoring chart: diff --git a/content/rancher/v2.6/en/project-admin/project-members/_index.md b/content/rancher/v2.6/en/project-admin/project-members/_index.md index c84e655974f..32708445e60 100644 --- a/content/rancher/v2.6/en/project-admin/project-members/_index.md +++ b/content/rancher/v2.6/en/project-admin/project-members/_index.md @@ -38,7 +38,9 @@ Following project creation, you can add users as project members so that they ca >**Notes:** > - >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. + >- Users assigned the `Owner` or `Member` role for a project automatically inherit the `namespace creation` role. However, this role is a [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the `Owner` or `Member` role for a project can create or delete namespaces in other projects they're assigned to, even with only the `Read Only` role assigned. + > + >- By default, the Rancher role of `project-member` inherits from the `Kubernetes-edit` role, and the `project-owner` role inherits from the `Kubernetes-admin` role. As such, both `project-member` and `project-owner` roles will allow for namespace management, including the ability to create and delete namespaces. > >- For `Custom` roles, you can modify the list of individual roles available for assignment. >