Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rke2 templates] unable to create cluster from an rke2 template as non-admin user #34844

Closed
slickwarren opened this issue Sep 21, 2021 · 5 comments
Closed

[rke2 templates] unable to create cluster from an rke2 template as non-admin user #34844

slickwarren opened this issue Sep 21, 2021 · 5 comments
Assignees
@slickwarren @jakefhyde
Labels
area/rke2 RKE2-related Issues kind/bug-qa Issues that have not yet hit a real release. Bugs introduced by a new feature or enhancement team/hostbusters The team that is responsible for provisioning/managing downstream clusters + K8s version support
Milestone
v2.6.4

Comments

@slickwarren
Copy link
Contributor

slickwarren commented Sep 21, 2021
edited
Loading

Rancher Server Setup

  • Rancher version: v2.6-head (45dfeb4)
  • Installation option (Docker install/Helm Chart): docker
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc):
  • Proxy/Cert Details:n/a

Information about the Cluster

  • Kubernetes version:1.21.4+rke2r1
  • Cluster Type (Local/Downstream):
    • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider): digital ocean, from rke2 template

Describe the bug

non-admin users are not able to create a cluster from rke2 cluster templates. Initial chart install fails

To Reproduce

  • log in as non-admin user (restricted admin)
  • add an rke2 cluster template repo
  • using a template, create a cluster using valid parameters

Result

  • currently, restricted admin gets this error when provisioning a cluster that the restricted admin has added:
  • Screen Shot 2021-09-20 at 10 01 02 AM
  • the regular admin can use the same parameters to create a cluster from the template. Reopening for this issue, thought this might be a separate issue.

Expected Result

any user should be able to install from an rke2 cluster template

Screenshots

Additional context
found when testing rancher/dashboard#3995
@slickwarren slickwarren added the kind/bug-qa Issues that have not yet hit a real release. Bugs introduced by a new feature or enhancement label Sep 21, 2021
@slickwarren slickwarren added this to the v2.6.1 milestone Sep 21, 2021
@slickwarren slickwarren modified the milestones: v2.6.1, v2.6.2 Sep 21, 2021
@slickwarren slickwarren mentioned this issue Sep 23, 2021
Closed
@Jono-SUSE-Rancher Jono-SUSE-Rancher modified the milestones: v2.6.1, v2.6.2 Sep 24, 2021
@cbron cbron added [zube]: To Triage area/rke2 RKE2-related Issues labels Sep 28, 2021
@Jono-SUSE-Rancher Jono-SUSE-Rancher modified the milestones: v2.6.2, v2.6.3 Oct 18, 2021
@janeczku
Copy link
Contributor

janeczku commented Oct 19, 2021
edited
Loading

Reproduced in 2.6.1.

Expected but broken behavior:

A non-admin user that has been assigned the global "User-Base" and "Create Cluster" permissions is able to create clusters using RKE2 cluster templates configured by the Rancher admin.

Workaround

There oughta be a workaround by creating a custom role. can we find out what are the required permissions? @Jono-SUSE-Rancher @cbron

@janeczku
Copy link
Contributor

Related: #35177

@zube zube bot removed the [zube]: To Triage label Oct 20, 2021
@SheilaghM SheilaghM modified the milestones: v2.6.3, v2.6.4 Nov 17, 2021
@deniseschannon deniseschannon added the team/hostbusters The team that is responsible for provisioning/managing downstream clusters + K8s version support label Nov 23, 2021
@deniseschannon deniseschannon modified the milestones: v2.6.4, v2.6.4 - Triaged Dec 1, 2021
@jakefhyde jakefhyde mentioned this issue Dec 16, 2021
Merged
@zube zube bot removed the [zube]: Working label Dec 17, 2021
@jakefhyde
Copy link
Contributor

Root cause

The create-clusters role did not have access to get/list/watch cluster repos, so non-admin users were not able to provision clusters with them.

What was fixed, or what changes have occurred

The create-clusters role was updated to allow the user to view these resources.

Areas or cases that should be tested

Creating a cluster using an rke2 template.

What areas could experience regressions?

N/A

Are the repro steps accurate/minimal?

As an admin user, add the cluster template examples repo. Create a user with the create-clusters role, and try to provision an rke2 cluster using the template.

@zube zube bot removed the [zube]: Review label Jan 10, 2022
@slickwarren
Copy link
Contributor Author

tested as part of: #35177

tested on v2.6-head (c682e30):

  • provision cluster from rke2 template as admin user -- pass
  • provision cluster from rke2 template as standard user -- pass
  • provision cluster from rke2 template as base user with create cluster role -- pass
  • verify user only has access to their cloud credentials in rke2 template -- pass
  • verify user can access rke2 template(s) added by admin -- pass

@belgaied2 belgaied2 mentioned this issue Feb 15, 2022
Closed
@belgaied2
Copy link

Related to #35184

@zube zube bot removed the [zube]: Done label May 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@slickwarren slickwarren

@jakefhyde jakefhyde

Labels
area/rke2 RKE2-related Issues kind/bug-qa Issues that have not yet hit a real release. Bugs introduced by a new feature or enhancement team/hostbusters The team that is responsible for provisioning/managing downstream clusters + K8s version support
Projects
None yet
Milestone
v2.6.4
Development

No branches or pull requests
10 participants
@cbron @janeczku @StrongMonkey @deniseschannon @slickwarren @SheilaghM @jakefhyde @belgaied2 @Jono-SUSE-Rancher @snasovich