rancher
Unprivileged user can't see PSACT is set in cluster config
Setup
- Rancher version: 2.7.6
- Rancher UI Extensions:
- Browser type & version: Tested on Firefox and Chrome
Describe the bug
An unprivileged user can view the config of a cluster that has a PSA Configuration Template set on it, but in the Advanced Options > Pod Security Admission Configuration Template dropdown, it shows the value as None. If the same user views the YAML for the cluster, it shows the value under spec.defaultPodSecurityAdmissionConfigurationTemplateName
To Reproduce
- As an admin user, create a downstream RKE1 cluster with the
Pod Security Admission Configuration Templateset torancher-restricted - Once the cluster is active, the same user can go to
Cluster Management, click the 3-dot menu for the cluster and selectEdit Configand in theAdvanced Optionssection see thePod Security Admission Configuration Templatevalue is set torancher-restricted - Create an unprivileged user with the attached GlobalRole and make that user a member of the same cluster
- As the unprivileged user, go to
Cluster Management, click the 3-dot menu for the cluster and selectView Configand check theAdvanced Optionssection to see thePod Security Admission Configuration Templatevalue
Result
The unprivileged user will see that the Pod Security Admission Configuration Template value shows as None. This is misleading because it is actually set to something. If the same user views the YAML for the cluster, they can see the value under spec.defaultPodSecurityAdmissionConfigurationTemplateName
Expected Result Show the actual value as it is seen in the YAML by the same user. Or, if this is a permissions issue, hide them from seeing this at all.
Screenshots
As seen by admin user:
As seen by unprivileged user:
Same unprivileged user can see the value set in the YAML
Additional context
Workaround was to add the following to the GlobalRole
resources:
- podsecurityadmissionconfigurationtemplates
verbs:
- list
