Unable to scale deployments from UI due to incorrect RBAC enforcement in Rancher

[gaktive]

Internal reference: SURE-3183 Reported in 2.5.8

Issue description: A user has a read-only role with additional "scale" permissions so that app users can only scale their app and cannot make any other modifications.

With this role, it's not possible to scale up/down a deployment. But the same is possible via kubectl.

Impact:

Although they can bring up the shell and scale manually, a primary differentiating point of rancher was the ability to interact with the k8s cluster via a GUI as not all of their devs are familiar with the kubectl CLI.

Repro steps:

• Create a project role with verbs: list, get, patch resource: deployments/scale inheriting builtin "Read-Only" role.
• Create a deployment as an admin user in Default project
• Add a user to Default project with this custom role
• Login as the user and try to scale up the deployment from the UI. API throws out an error:
• Open the shell and run kubectl scale deployments/test --replicas=2. This goes through successfully.

Expected behavior: Scaling via UI should work

Notes: Initial thoughts showed possible connection to https://github.com/rancher/rancher/issues/32424 but upon backend investigation elsewhere, @crobby spotted the following with recent testing (confirming version):

The UI doesn't let me create a role for deployments/scale, but when I create a role for "deployments", with get, list, patch, watch and try scaling from the UI, I do NOT see the scaling buttons, and when I try with kubectl, I get..

Error from server (Forbidden): deployments.apps "test" is forbidden: User "u-abcdefgh" cannot patch resource "deployments/scale" in API group "apps" in the namespace "default"

If I add "update" to that role, I DO see the scaling buttons in the UI and they DO work. But when I try scaling via kubectl, I get the same error as above.

If I manually edit the "scaler" Role template to be for deployments/scale, then I DO see the behavior as described in this issue. The UI does NOT have scaling options, but I am able to scale via kubectl.

I wonder if there may be a couple of UI issues here.

1) Not able to create a role for deployments/scale...only deployments 2) Logic for when to show the scaling buttons on the deployment page

[richard-cox]

I think, to summarise...

• kubectl uses patch, requires PATCH permission on resource
• dashboard uses post, requires POST permission on resource (uses update link for visibility of feature)
• ember uses ???, requires ??? permission (uses ??? link for visibility)

The screenshot is of ember using RKE1 to change node pool. Need to also consider RKE2 and machine deployment scaling

[gaktive]

Confirmed that this was spotted in 2.7-head with the Vue UI.

[nwmac]

We should change scale to use PATCH to be consistent with kubectl.

Suggest we only do this for the Vue codebase for now.

[gaktive]

@richard-cox indicated that we should use PATCH instead of POST for scaling +/-.

In addition, @Sean-McQ noted that the PATCH verb is a partial update to a resource; we only need to send a diff on the fields that change. PUT is the other preferred verb to use instead of POST going forward (PUT overrides the full resource).

[Shavindra]

This use PUT. This mean when creating the project role user need to have Update label instead of the patch.

[Shavindra]

@nwmac Do we need to update things to use PATCH? we are not using patch any where in the codebase.

[nwmac]

@Shavindra For scale up/down I think we do - this is then consistent with what kubectl does.

[Shavindra]

I've created a backend issue. Schema/Links are not updated based on PATCH permissions. This issue is blocked by this.

https://github.com/rancher/rancher/issues/40712

CC: @nwmac @gaktive