-
Notifications
You must be signed in to change notification settings - Fork 216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fleet RBAC #385
Comments
same issue here |
I have also the same issue. |
I would like to know about this as well |
Any news about this? |
same issue |
same issue also for us |
This is a showstopper for us! |
same here. It´s also a showstopper for use. |
A quick update, if you're using Rancher you can grant this by using Example.
This can be done via the UI or added as a K8s resource if you're using Rancher, and works. I only have read permissions on these right now, but you can easily change them to have more (or just |
Thanks @ADustyOldMuffin ! Creating a GlobalRole seems to be needed to access fleetworkspaces. However, I'd like my user to be limited to its own cluster (local) and its own namespace(s)/project(s) when deploying workloads ... Any clue on how to do this ? |
This would require fleet to deploy/deal with namespaces other than flee-default. You might check other issues as I believe that's an enhancement currently underway. |
I'd be interested in feedback on https://fleet.rancher.io/next/multi-tenancy |
@manno Could we add info in a QA Template to validate this issue? |
Additional QAMost of the functionality was already part of fleet, however not well known.
ProblemHow can we support a setup where one fleet installation serves multiple tenants? SolutionThe suggested approach is documented here: https://fleet.rancher.io/multi-tenancy Users are not allowed to change cluster resources, they only create gitrepo resources in specially prepared namespaces. These PRs were necessary:
More documentation:
TestingEngineering TestingManual TestingThe docs describe how to set up multi-tenancy and how to create a limited user to test it. Automated Testing
QA Testing ConsiderationsIntegration in the Rancher UI is still being worked on. Most of the functionality existed already. Maybe a full QA on multi-tenancy should wait for the feature to arrive Rancher, as there are still some open questions regarding UX. |
Hello, can this be applied to a situation when a user deploys gitrepo object in a namespace and the git repo is allowed to be deployed in this namespace and only in this namespace without admin need to pre-setup permissions for this particular namespace in advance? E.g., can we setup rights so that namespace in gitrepo is completely ignored and deployment is done in the same namespace as the gitrepo object? |
Yes, this can be achieved with a bundle namespace mapping: https://fleet.rancher.io/next/namespaces#cross-namespace-deployments
You mean the namespace in the gitrepo crd for the deployment? No, there is no way to override that globally. You can use a gitreporestriction resource to restrict the |
yes, but admin needs to setup the mapping in advance, right?
I have multitenant cluster with many users and with many namespaces, multiple namespaces per user. I want any user to be able to use gitrepo with fleet on self-service basis: the user creates his namespace and creates a gitrepo and that's everyhing that needs to be done, no requests to admin and also it is secure so that user cannot deploy gitrepo into namespate he does not own. The scenario above can be easily done if deployment can be done into the namepace the gitrepo object is and only to this namespace. Or, if service account for deployment must be specified and fleet verifies that the user owns this service account. If I understand correctly, this can be done using bundlenamespacemapping, but admin has to create mapping in advance so that it works and user probably has to request the mapping from admin once the user created the namespace for gitrepo. Right? |
I have this scenario. The fleet user role has permissions to Is that the expectation? Or the user should have access to |
@izaac Fleet Workspaces is a sub-section of Continuous Delivery (CD). I believe you should be able to use CD without being able to use workspaces. If If one has What you describe as happening with the CD section and the |
Validated on Rancher v Validated based on documented test plan scenarios. Separate issues during validation: |
Hello! I'm trying to configure restricted access to deployment via Fleet.
Case: user has an owner permissions in the specific cluster, e.g. sandbox. But they can't see the Continuous Delivery tab with this role. How can I grant specific access to the Fleet API that user will be able to deploy only to allowed cluster?
The text was updated successfully, but these errors were encountered: