KKP Admin not able to manage RBAC assignment and Project assignment

[toschneck]

What happened?

As KKP Admin, I would like to controll every setting of any user cluster, even if I'm not Part of the project. Currently I can't add a new RBAC Binding, when my account doesn't belong to the Project, even if I'm KKP super admin:

If try to workaround and add my-self to the project as admin, I can't do it, as this is not allowed (what is not correct in my opinion)

Expected behavior

As KKP Admin I should have full rights on the platform and allowed to do:

• Assign my-self to a project
• Add or Modify Any RBAC assignment in any cluster

How to reproduce the issue?

Login as KKP Admin, choose an Project where you are not Member of it and try

• add yourself
• do an RBAC binding assignment

How is your environment configured?

• KKP version: 2.25.6
• Shared or separate master/seed clusters?: combined or separate: same behaviour

Provide your KKP manifest here (if applicable)

See https://github.com/kubermatic/demo-infra/tree/main/kubermatic

```yaml # paste manifest here ```

What cloud provider are you running on?

doesn't matter

What operating system are you running in your user cluster?

doesn't matter

Additional information

[toschneck]

/label customer-request

[judge-red]

I've brought this up as a bug with Kubermatic almost 1.5 years ago, but unfortunately the result of internal discussions communicated to me was "KKP Admins should be only allowed for displaying all resources and interactions like editing/creating/removing should not be possible". They acknowledged that this isn't currently true either, as KKP admins can take several CRUD actions in projects. Thus this was created: https://github.com/kubermatic/docs/issues/1362

I still disagree with that view, thus I would very much like to see this issue here adressed instead.

But the problem is more complicated, here's another example:

• if I'm KKP admin but have NO role in the project, I CAN add a service account to the project
• if I'm a KKP admin AND a project editor/viewer (i.e. a member but not owner) in the project, I can NOT add a service account to the project (which requires owner privileges) ... imho KKP admin should weight more than a project role.

In general, the KKP admin privileges on the dashboard feel random and often wrong.

[csengerszabo]

/label sig/cluster-management /label sig/api /label sig/ui

[csengerszabo]

/kind feature

[csengerszabo]

/remove-label sig/cluster-management

[csengerszabo]

/assign @ahmadhamzh

[ahmadhamzh]

/transfer-issue dashboard