A Cluster Member cannot be provided limited access to resources in a single namespace deployed by an App in a Project that they are not a part of.
e.g. A Cluster Member cannot be provided limited access to resources in the cattle-monitoring-system namespace deployed by Rancher Monitoring in the System Project if they are not a member of it.
Proposed Design
As part of investigating this, we discussed the following design:
On init, we create built-in (pseudo) ClusterRoleTemplate that can be referenced by other RoleTemplates
We modify or create an Apps controller such that reloads all CRTBs and PRTBs on seeing a particular App deployed
Open Question: How do we identify whether an incoming App should trigger a reload?
Proposed Solution: we could use the name of the app, although there's nothing stopping a user from choosing that name for a random App as well
We modify the CRTB / PRTB user controller to check if the inherited role of the referenced CRT or PRT matches the (pseudo) ClusterRoleTemplate + is builtIn, check whether the App is installed by cycling through all Apps (note: no way to filter by labels at the moment), and accordingly create the RoleBindings whose ownerReferences are tied to the namespace of the App
Open Question: How can we make it easier for the CRTB / PRTB controller to identify whether an App is installed?
Proposed Solutions: either propagate App annotations up to labels so that we can use k8s to filter out resources (currently, no labels are added), create a Secret / ConfigMap to keep track of the App installation, or update a flag located on the Cluster resource to indicate that the app is enabled, similar to v1 apps
Open Question: How does the CRTB / PRTB controller identify which namespace to create the RoleBindings in and what Roles to look for to bind to?
Proposed Solution: find the namespace in the App's annotations, although it's possible the Chart annotation has a namespace that doesn't match the values.yaml override supplied on install.
Problem
A Cluster Member cannot be provided limited access to resources in a single namespace deployed by an App in a Project that they are not a part of.
e.g. A Cluster Member cannot be provided limited access to resources in the
cattle-monitoring-systemnamespace deployed by Rancher Monitoring in the System Project if they are not a member of it.Proposed Design
As part of investigating this, we discussed the following design:
builtIn, check whether the App is installed by cycling through all Apps (note: no way to filter by labels at the moment), and accordingly create the RoleBindings whose ownerReferences are tied to the namespace of the AppRelevant Links
Relevant Issue: https://github.com/rancher/rancher/issues/31551
Relevant Doc: https://confluence.suse.com/pages/viewpage.action?spaceKey=EN&title=Accessing+Monitoring+UIs+as+a+Cluster+Member