Investigate RBAC issue with turtles

[kkaempf]

When Turtles automatically imports a CAPI cluster into Rancher by generating the Rancher Cluster it results in some repeated RBAC errors being generated.

If you import a Cluster via the RM UI the webhook will add a "creator" and Rancher will use this to automatically allow the creator access via RBAC. With RT we don't add the creator id.

Whats needed from this:

• [ ] Import a cluster via Turtles and document the RBAC error related to the cluster
• [ ] Create a cluster via CAPI but not import via Turtles. Instead import via the RM UI and note whether the same issue happen

[furkatgofurov7]

Can we please add details to the issue description so someone interested picking it up has an overall view and scope of the problem?

[kkaempf]

@richardcase iirc that was a draft issue from you which I converted to a Turtles one 😉

[richardcase]

@kkaempf @furkatgofurov7 - i've updated the description. We can also jump on a quick call to discuss.

[salasberryfin]

After raising this in the Rancher RBAC channel, there is a new issue open to track progress on this https://github.com/rancher/rancher/issues/45591.

[salasberryfin]

A new annotation field.cattle.io/noCreatorRBAC that when applied to a cluster, it skips the step where it creates the ClusterOwner/ProjectOwner roles and bindings.

• https://github.com/rancher/webhook/pull/511
• https://github.com/rancher/rancher/pull/47259

This change will most likely be available in Rancher v2.10. Then, we will able to use this feature by adding the annotation via Turtles.