RBAC for Fleet

[StrongMonkey]

Backend changes are merged. This includes the following changes:

1. Local cluster will have built-in roles for fleet.(Detail is described in here)
2. User who creates fleetworkspace will automatically become the admin of it.
3. Only User who has admin privilege to fleetworkspace can add cluster into fleetworkspace(By editing cluster.spec.FleetworkspaceName)

Testing scenario:

1. Test that standard user in local cluster is able to create fleetworkspace. Once they created it they should have admin permission on this fleetworkspace( on this workspace and on fleet resources in this workspace) and invite member into it(By creating rolebindings to give other user role to access resource in this fleetworkspace)
2. Test that fleetworkspace-admin is allowed to add cluster in workspace. This is done through editting cluster.spec.fleetworkspace(also requires the current user to be admin of rancher cluster)
3. Test that fleetworkspace-member is able to create gitrepo in the workspace.
4. Test that fleetworkspace-readonly only has readonly permission to fleet resources in the workspace.

[hyunsun]

Hi, thanks for this feature! I have tried the same test scenario with Rancher v2.5.5 and checked fleetworkspace-member and fleetworkspace-readonly built-int roles worked as expected except that the test user was able to list all fleetworkspaces not just those she has access to. Not sure this is expected or I did something wrong in my test. Could you help clarify?

Here's how I tested.

1. Create user "test-user" and add the user to local cluster with read-only permission to fleetworkspace.management.cattle.io resources
2. Create a workspace "fleet-test" as admin
3. Create fleetworkspace-member rolebinding for "test-user" in "fleet-test" namespace as admin
4. Login as "test-user" and check the user can list all workspaces (but can only view *.fleet.cattle.io resources in "fleet-test" workspace)