Skip to content

What are the "-promoted" ClusterRoles in Rancher-managed clusters?

Article Number: 000020097

Environment

Rancher v2.x

Situation

When querying for ClusterRoles using kubectl or viewing role assignments in the Rancher UI, you may notice certain roles with a suffix of -promoted (e.g., project-member-promoted).

Resolution

Rancher utilizes "-promoted" ClusterRoles to handle cluster-scoped resources that have been included within a Project-level role.

In Kubernetes, RBAC is divided into two scopes:

  • Namespaced: Resources like Pods, Deployments, and Services.
  • Cluster-scoped: Resources like StorageClasses, PersistentVolumes, and APIServices.

If a Project Role (which usually only applies to specific namespaces) includes permissions for a cluster-scoped resource, Kubernetes cannot enforce that permission using a standard RoleBinding within a namespace. To grant access to these specific cluster-wide objects while maintaining the user's Project context, Rancher "promotes" those specific permissions into a dedicated ClusterRole.