Skip to content

Users assigned the Project Owner or Member role on a project are able to create namespaces on any project, in the same cluster, to which they have access

Article Number: 000020205

Environment

  • A cluster managed by Rancher v2.x
  • A user granted the Project Member or Owner role on one project, and access e.g. the Read-only role, on another project

Situation

A user assigned the Project Owner or Member role on one project is able to create namespaces on any project, in the same cluster, to which they have access.

For example, if a user has been granted the Project Member role on a Project named Dev in a cluster, and the Read-only role on a project named Test in that cluster, they will be able to create namespaces on both the Dev and Test projects.

Resolution

Per the caveat explanation in the Rancher v2.x documentation:

Users assigned the Owner or Member role for a project automatically inherit the namespace creation role. However, this role is a Kubernetes ClusterRole, meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the owner or member role for a project can create namespaces in other projects they’re assigned to, even with only the Read Only role assigned.