raulcabello
commented
7 months ago You can use resourceNames to solve this problem. For example, just workspaceA and workspaceB would be displyaed with following ClusterRole :
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cr-fleet-list-workspaces
rules:
- apiGroups:
- management.cattle.io
resources:
- fleetworkspaces
verbs:
- list
resourcesNames:
- workspaceA
- workspaceBAlternatively, you can use GlobalRole and namespacedRules to restrict access to specific workspaces. This would make easier to bind this permissions to new users or groups within Rancher. We will add this to the fleet docs, see this PR for more info.
Is there an existing issue for this?
Current Behavior
We have a user who should only have access to one workspace in Fleet. We have configured all RBACs as documented here: https://fleet.rancher.io/multi-user
This works well with one exception. On the Continuous Delivery tab, the user does not have access to see any workspaces in the dropdown. See image:
To allow for this combo-box to be populated, we appear to need to grant Cluster-wide access for this user to list workspaces:
However, when doing this, the user gets to see all workspaces in this combo-box (and on the workspaces page). They still only see the relevant GitRepo/Bundle/etc resources, but we do not want them seeing the names of the other workspaces that they do not have access to.
Expected Behavior
The user should only see the workspaces they have access to in this combo-box.
Steps To Reproduce
The user will not see any of the workspaces listed in the combo-box, so will not be able to select their desired workspace to view their resources. Alternately, if you then give Cluster-wide access to list all workspaces, the user will see the names of all workspaces - which is also not desirable.
Environment
Logs
No response
Anything else?
No response