How to create a read-only custom Global Role for Fleet

Article Number: 000021157

Environment

Rancher v2.6+

Situation

To permit a user read-only access to Fleet resources a custom Global Role can be created with the required grants.

In this role you need to grant the get, list and watch verbs on the following resources:

ResourcesAPI Groupclustersfleet.cattle.iogitreposfleet.cattle.iobundlesfleet.cattle.ioclustergroupsfleet.cattle.iofleetworkspacesmanagement.cattle.io

Resolution

1.  Create the custom Global Role 

Navigate within the Rancher UI to Users & Authentication > Role Templates and click Create Global Role. Create a new role granting list, and get and watch the resources listed in the above table.

In the Rancher UI, under Users & Authentication > Role Templates > Global, a new Global Role appears:

2. Assign this role to individual users or groups

After creating this custom Global Role, you can then assign it to individual users or groups. When a non-admin user assigned this role accesses Rancher, the user will not be able to edit any Fleet resources but will be able to view these within the Continuous Delivery UI.