mirror of
https://github.com/rancher/rancher-docs.git
synced 2026-04-14 10:25:40 +00:00
24fc5a657c
* Sync main to v2.13.0 (#2065) * It's bad form to ask users to pass something they just curled from the internet directly to sh Updated the instructions for uninstalling the rancher-system-agent to use a temporary script file instead of piping directly to sh. * doc(rancher-security): improve structure and content to latest, v2.13-preview and v2.12 (#2024) - add Rancher Kubernetes Distributions (K3s/RKE2) Self-Assessment and Hardening Guide section - add kubernetes cluster security best practices link to rancher-security section - add k3s-selinux and update selinux-rpm details - remove rhel/centos 7 support Signed-off-by: Andy Pitcher <andy.pitcher@suse.com> * Updating across supported versions and translations. Signed-off-by: Sunil Singh <sunil.singh@suse.com> --------- Signed-off-by: Andy Pitcher <andy.pitcher@suse.com> Signed-off-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Tejeev <tj@rancher.com> Co-authored-by: Andy Pitcher <andy.pitcher@suse.com> Co-authored-by: Sunil Singh <sunil.singh@suse.com> * Update roletemplate aggregation doc and version information * Add versioned docs * Remove ext token and kubeconfig feature flag sections and document bearer Token * Update corresponding v2.13 pages * update doc for pni in gke * Adding reverted session idle information from PR 1653 Signed-off-by: Sunil Singh <sunil.singh@suse.com> * [2.13.0] Add versions table entry * [2.13.0] Add webhook version * [2.13.0] Add CSP Adapter version * [2.13.0] Add deprecated feature table entry * [2.13.0] Update CNI popularity stats * Update GKE Cluster Configuration for Project Network Isolation instructions * Fix link and port to 2.13 * [2.13.0] Add Swagger JSON * [v2.13.0] Add info about Azure AD Roles claims (#2079) * Add info about Azure AD roles claims compatibility * Apply suggestions from code review Co-authored-by: Sunil Singh <sunil.singh@suse.com> * Add suggestions to v2.13 --------- Co-authored-by: Sunil Singh <sunil.singh@suse.com> * [2.13.0] Remove preview designation * user public api docs (#2069) * user public api docs * Apply suggestions from code review Co-authored-by: Andreas Kupries <akupries@suse.com> * Apply suggestions from code review Co-authored-by: Peter Matseykanets <pmatseykanets@gmail.com> * explain plaintext is never stored * add users 2.13 versioned docs * remove extra ``` * Apply suggestions from code review Co-authored-by: Lucas Saintarbor <lucas.saintarbor@suse.com> * add space before code block --------- Co-authored-by: Andreas Kupries <akupries@suse.com> Co-authored-by: Peter Matseykanets <pmatseykanets@gmail.com> Co-authored-by: Lucas Saintarbor <lucas.saintarbor@suse.com> * support IPv6 (#2041) * [v2.13.0] Add Configure GitHub App page (#2081) * Add Configure GitHub App page * Apply suggestions from code review Co-authored-by: Billy Tat <btat@suse.com> * Fix header/GH URL & add suggestions to v2.13 * Apply suggestions from code review Co-authored-by: Petr Kovar <pknbe@volny.cz> * Apply suggestions from code review to v2.13 * Add note describing why to use Installation ID * Apply suggestions from code review Co-authored-by: Billy Tat <btat@suse.com> --------- Co-authored-by: Billy Tat <btat@suse.com> Co-authored-by: Petr Kovar <pknbe@volny.cz> * [v2.13.0] Add info about Generic OIDC Custom Mapping (#2080) * Add info about Generic OIDC Custom Mapping * Apply suggestions from code review Co-authored-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Billy Tat <btat@suse.com> * Apply suggestions from code review Co-authored-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Billy Tat <btat@suse.com> * Add suggestions to v2.13 * Remove repetitive statement in intro * Move Prereq intro/note to appropriate section * Fix formatting, UI typo, add Custom Claims section under Configuration Reference section * Add section about how a custom groups claim works / note about search limitations for groups in RBAC --------- Co-authored-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Billy Tat <btat@suse.com> * [v2.13.0] Add info about OIDC SLO support (#2086) * Add shared file covering OIDC SLO support to OIDC auth pages * Ad How to get the End Session Endpoint steps * Add generic curl exampleto retrieve end_session_endpoint * [2.13.0] Bump release date --------- Signed-off-by: Andy Pitcher <andy.pitcher@suse.com> Signed-off-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Lucas Saintarbor <lucas.saintarbor@suse.com> Co-authored-by: Tejeev <tj@rancher.com> Co-authored-by: Andy Pitcher <andy.pitcher@suse.com> Co-authored-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com> Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com> Co-authored-by: Petr Kovar <petr.kovar@suse.com> Co-authored-by: Krunal Hingu <krunal.hingu222@gmail.com> Co-authored-by: Raul Cabello Martin <raul.cabello@suse.com> Co-authored-by: Andreas Kupries <akupries@suse.com> Co-authored-by: Peter Matseykanets <pmatseykanets@gmail.com> Co-authored-by: Jack Luo <jiaqi.luo@suse.com> Co-authored-by: Petr Kovar <pknbe@volny.cz>
187 lines
4.0 KiB
Markdown
187 lines
4.0 KiB
Markdown
---
|
|
title: Users
|
|
---
|
|
|
|
## User Resource
|
|
|
|
The `User` resource (users.management.cattle.io) represents a user account in Rancher.
|
|
|
|
To get a description of the fields and structure of the `User` resource, run:
|
|
```sh
|
|
kubectl explain users.management.cattle.io
|
|
```
|
|
|
|
## Creating a User
|
|
|
|
Creating a local user is a two-step process: you must create the `User` resource, then provide a password via a Kubernetes `Secret`.
|
|
|
|
Only a user with sufficient permissions can create a `User` resource.
|
|
|
|
```bash
|
|
kubectl create -f -<<EOF
|
|
apiVersion: management.cattle.io/v3
|
|
kind: User
|
|
metadata:
|
|
name: testuser
|
|
displayName: "Test User"
|
|
username: "testuser"
|
|
EOF
|
|
```
|
|
The user's password must be provided in a `Secret` object within the `cattle-local-user-passwords` namespace. The Rancher webhook will automatically hash the password and update the `Secret`.
|
|
|
|
:::important
|
|
|
|
Important: The `Secret` must have the same name as the metadata.name (and username) of the `User` resource.
|
|
|
|
:::
|
|
|
|
```bash
|
|
kubectl create -f -<<EOF
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: testuser
|
|
namespace: cattle-local-user-passwords
|
|
type: Opaque
|
|
stringData:
|
|
password: Pass1234567!
|
|
EOF
|
|
```
|
|
|
|
After the plaintext password is submitted, the Rancher-Webhook automatically hashes it, replacing the content of the `Secret`, ensuring that the plaintext password is never stored:
|
|
|
|
```yaml
|
|
apiVersion: v1
|
|
data:
|
|
password: 1c1Y4CdjlehGWFz26F414x2qoj4gch5L5OXsx35MAa8=
|
|
salt: m8Co+CfMDo5XwVl0FqYzGcRIOTgRrwFSqW8yurh5DcE=
|
|
kind: Secret
|
|
metadata:
|
|
annotations:
|
|
cattle.io/password-hash: pbkdf2sha3512
|
|
name: testuser
|
|
namespace: cattle-local-user-passwords
|
|
ownerReferences:
|
|
- apiVersion: management.cattle.io/v3
|
|
kind: User
|
|
name: testuser
|
|
uid: 663ffb4f-8178-46c8-85a3-337f4d5cbc2e
|
|
uid: bade9f0a-b06f-4a77-9a39-4284dc2349c5
|
|
type: Opaque
|
|
```
|
|
|
|
## Updating User's Password
|
|
|
|
To change a user's password, use the `PasswordChangeRequest` resource, which handles secure password updates.
|
|
|
|
```yaml
|
|
kubectl create -f -<<EOF
|
|
apiVersion: ext.cattle.io/v1
|
|
kind: PasswordChangeRequest
|
|
spec:
|
|
userID: "testuser"
|
|
currentPassword: "Pass1234567!"
|
|
newPassword: "NewPass1234567!"
|
|
EOF
|
|
```
|
|
|
|
## Listing Users
|
|
|
|
List all `User` resources in the cluster:
|
|
|
|
```sh
|
|
kubectl get users
|
|
NAME AGE
|
|
testuser 3m54s
|
|
user-4n5ws 12m
|
|
```
|
|
|
|
## Viewing a User
|
|
|
|
View a specific `User` resource by name:
|
|
|
|
```sh
|
|
kubectl get user testuser
|
|
NAME AGE
|
|
testuser 3m54s
|
|
```
|
|
|
|
## Deleting a User
|
|
|
|
Deleting a user will automatically delete the corresponding password `Secret`.
|
|
|
|
```sh
|
|
kubectl delete user testuser
|
|
user.management.cattle.io "testuser" deleted
|
|
```
|
|
|
|
## Get a Current User's Information
|
|
|
|
A client uses the `SelfUser` resource to retrieve information about the currently authenticated user without knowing their ID. The user ID is returned in the `.status.userID` field.
|
|
|
|
```bash
|
|
kubectl create -o jsonpath='{.status.userID}' -f -<<EOF
|
|
apiVersion: ext.cattle.io/v1
|
|
kind: SelfUser
|
|
EOF
|
|
|
|
testuser
|
|
```
|
|
|
|
## Refreshing a User's Group Membership
|
|
|
|
Updates to user group memberships are triggered by the `GroupMembershipRefreshRequest` resource.
|
|
|
|
:::note
|
|
Group membership is only supported for external authentication providers.
|
|
:::
|
|
|
|
### For a Single User
|
|
|
|
```bash
|
|
kubectl create -o jsonpath='{.status}' -f -<<EOF
|
|
apiVersion: ext.cattle.io/v1
|
|
kind: GroupMembershipRefreshRequest
|
|
spec:
|
|
userId: testuser
|
|
EOF
|
|
|
|
{
|
|
"conditions": [
|
|
{
|
|
"lastTransitionTime": "2025-11-10T12:01:03Z",
|
|
"message": "",
|
|
"reason": "",
|
|
"status": "True",
|
|
"type": "UserRefreshInitiated"
|
|
}
|
|
],
|
|
"summary": "Completed"
|
|
}
|
|
```
|
|
|
|
### For All Users
|
|
|
|
```bash
|
|
|
|
kubectl create -o jsonpath='{.status}' -f -<<EOF
|
|
apiVersion: ext.cattle.io/v1
|
|
kind: GroupMembershipRefreshRequest
|
|
spec:
|
|
userId: "*"
|
|
EOF
|
|
|
|
{
|
|
"conditions": [
|
|
{
|
|
"lastTransitionTime": "2025-11-10T12:01:59Z",
|
|
"message": "",
|
|
"reason": "",
|
|
"status": "True",
|
|
"type": "UserRefreshInitiated"
|
|
}
|
|
],
|
|
"summary": "Completed"
|
|
}
|
|
```
|