Skip to content

Users assigned the Project Owner or Member role on a project are able to create namespaces on any project, in the same cluster, to which they have access

This document (000020205) is provided subject to the disclaimer at the end of this document.

Environment

  • A cluster managed by Rancher v2.x
  • A user granted the Project Member or Owner role on one project, and access e.g. the Read-only role, on another project

Situation

A user assigned the Project Owner or Member role on one project is able to create namespaces on any project, in the same cluster, to which they have access.

For example, if a user has been granted the Project Member role on a Project named Dev in a cluster, and the Read-only role on a project named Test in that cluster, they will be able to create namespaces on both the Dev and Test projects.

Resolution

Per the caveat explanation in the Rancher v2.x documentation:

Users assigned the Owner or Member role for a project automatically inherit the namespace creation role. However, this role is a Kubernetes ClusterRole, meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the owner or member role for a project can create namespaces in other projects they’re assigned to, even with only the Read Only role assigned.

Additional Information

Read more on Cluster and Project Roles in the Rancher v2.x. documentation.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.