Public API [kubectl/v1] Dashboard Incorrectly Showing GlobalRole as Builtin When It's Not

[brudnak]

Setup

Component	Version / Type
Starting Rancher version	2.7.6
Upgraded to Rancher	v2.8-aecfe5961e630a8db0e239e00a611227c8886253-head
Rancher commit link	https://github.com/rancher/rancher/commit/aecfe5961e630a8db0e239e00a611227c8886253
Installation option	Helm (high availability)
RKE binary version used	v1.4.8
If Helm Chart k8s cluster	v1.26.7
Cert Details	external tls aws acm
Docker version	20.10.7, build f0df350
Helm version	v2.16.8-rancher2
Downstream cluster type	not applicable
Downstream K8s version	not applicable
Authentication providers enabled	local
Logged in user role	admin
Browser type	Opera GX
Browser version	LVL5 (core: 102.0.4880.74) (x86_64)
Dashboard	master 3389ed6c4
Rancher env setup via	https://github.com/brudnak/aws-ha-infra

Describe the bug

When editing a global role that was originally created with the UI, with the v1 API endpoint. The UI incorrectly changes to displaying that the global role is now builtin when it is not.

To Reproduce

1. Initialization with Specific Rancher Version:

   • Start with the Rancher system initialized to version 2.7.6.

2. GR Creation via UI:

   • Create a Global Role (GR) using the Rancher UI.
   • Create a role named custom-gr1
   • Verbs: list
   • Resource: clusters
   • API Groups: clusters.x-k8s.io
   • Non-Resources URLs: (this field is left blank)

3. System Upgrade:

   • Upgrade Rancher to v2.8-head

4. Validation of Previous GR with New API:

   • Use Insomnia or Postman to make a GET call to /v1/management.cattle.io.globalroles/gr-l7zfx
   • Then make a PUT call to /v1/management.cattle.io.globalroles/gr-l7zfx
   • We will change the display name

{
	"apiVersion": "management.cattle.io/v3",
	"kind": "GlobalRole",
	"displayName": "custom-gr1-changed",
	"inheritedClusterRoles": [
		"cluster-member"
	],
	"metadata": {
		"name": "gr-l7zfx",
		"resourceVersion": "6179"
	},
	"rules": [
		{
			"apiGroups": [
				"cluster.x-k8s.io"
			],
			"resources": [
				"clusters"
			],
			"verbs": [
				"list"
			]
		}
	]
}

Result

Once the PUT call is made updating the display name. The UI starts marking the role as builtin even though it's not. See screenshot below. The global role is not actually a builtin role (it's not functioning as one. it's able to be deleted, etc. so doesn't appear to be a backend issue)

NOTE! 🚨

THIS DOES NOT HAPPEN WHEN THE EDIT IT MADE VIA KUBECTL. SEE ADDITIONAL SCREENSHOT.

Expected Result

For the UI not to mark a global role as builtin when it is not

Screenshots

Additional context

Bug Frequency

Frequency	Selected Option
Consistent (10/10) - A consistent bug can be replicated every time the test is executed.	❎
Frequent (7/10)- A frequent bug can be replicated like 7 out of 10 times when a test is replicated
Occasional (5/10) - Occasional bug is more hard to replicate than a frequent bug.
Once thus far, twice thus far - Few bugs cannot be reproduced every time you run the test.

Associated API Calls & Responses

#	Request URL	Request Method	Status Code
1	/v1/management.cattle.io.globalroles/gr-l7zfx	GET	200: OK
2	/v1/management.cattle.io.globalroles/gr-l7zfx	PUT	200: OK
3	/v1/management.cattle.io.globalroles/gr-l7zfx	DELETE	200: OK

Details for #2

Request Body

{
	"apiVersion": "management.cattle.io/v3",
	"kind": "GlobalRole",
	"displayName": "custom-gr1-changed",
	"inheritedClusterRoles": [
		"cluster-member"
	],
	"metadata": {
		"name": "gr-l7zfx",
		"resourceVersion": "353933"
	},
	"rules": [
		{
			"apiGroups": [
				"cluster.x-k8s.io"
			],
			"resources": [
				"clusters"
			],
			"verbs": [
				"list"
			]
		}
	]
}

[lindhe]

Can confirm that this is the case in v2.8.1.

It's worth noting that the API spec for GlobalRole says that the builtin field defaults to false:

$ kubectl explain globalrole.builtin
GROUP:      management.cattle.io
KIND:       GlobalRole
VERSION:    v3

FIELD: builtin <boolean>

DESCRIPTION:
    Builtin specifies that this GlobalRole was created by Rancher if true.
    Immutable.

When inspecting the GlobalRole that gets created, builtin is unset:

apiVersion: management.cattle.io/v3
description: This is my custom role
displayName: foo
kind: GlobalRole
metadata:
  annotations:
    authz.management.cattle.io/cr-name: cattle-globalrole-gr-vc8lr
    field.cattle.io/creatorId: user-asdf
    lifecycle.cattle.io/create.mgmt-auth-gr-controller: 'true'
  creationTimestamp: '2024-02-21T10:11:29Z'
  finalizers:
    - controller.cattle.io/mgmt-auth-gr-controller
  generateName: gr-
  generation: 2
  labels:
    cattle.io/creator: norman
  name: gr-vc8lr
  resourceVersion: '270016229'
  uid: f13ce6de-61f8-4ca8-858f-23b582dbd827
rules:
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - get

If I edit the object and explicitly set builtin: false, then it shows up properly as a built-in role:

I assume this is a GUI bug, but I just want to point out that it could be an API (documentation) bug for the GlobalRole object.

[aalves08]

working on e2e automation at the moment

[aalves08]

@yonasberhe23 @IsaSih @izaac added an e2e test for this issue https://github.com/rancher/dashboard/pull/10918. it's merged

[lindhe]

Nice. Is the issue fixed too, or just tests added?

[aalves08]

@lindhe this is fixed with https://github.com/rancher/dashboard/pull/9803. Fix "will be available to the public" once we release Rancher 2.9. The other PR I added was just an e2e test to cover any regression scenarios

[izaac]

Moving to done, the E2E validations look good.