Kubectl SHELL is not working for user

[dbravo0531]

trafficstars

Rancher Server Setup

• Rancher version: 2.6.8 - SURE-5239
• Installation option (Helm Chart):
  • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc):
• Proxy/Cert Details:

Information about the Cluster

• Kubernetes version:
• Cluster Type (Local):
  • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider):

User Information

• What is the role of the user logged in? (Admin/Cluster Owner/Cluster Member/Project Owner/Project Member/Custom)
  • If custom, define the set of permissions:

Describe the bug Rancher regression in Shell GUI Usage non-admin users cannot open the kubectl Shell form user with "user" GlobalRole and project "Edit" role. It is working for the admin users.

Business impact: Users cannot use the Shell GUI

To Reproduce Create a cluster in 2.6.6 and 2.6.8 Create a user "dev" Create a new "Project/Namespaces" role "devrole" inherited from "edit", do not add more permission. Create a project/namespace "myproj" Add the new user "dev" to the new namespace "myproj" with the newly created role "devrole"

Rancher 2.6.8 : Role 'edit' same as Rancher 2.6.6, there are the same verbs. rules: apiGroups:

• "" resources:
• secrets verbs:
• create
• delete
• deletecollection
• get
• list
• patch
• update
• watch

Workaround: Is workaround available and implemented? no What is the workaround: NONE

Non Admin users cannot open the Kubecl SHELL from the GUI

Expected Result Users should be able to access the GUI Shell.

Screenshots

Additional context

[clbiggs]

Have run into this issue as well trying to restrict privilege's to certain groups. It looks like it's caused by not having permission to create the dashboard-shell pod in the cattle-system namespace on the cluster. Which for us, is under the System project where we don't want to give any access to those users.

Is it possible to configure the dashboard-shell to spin up in a different namespace on a cluster?

[gemone]

I repeated a similar situation on AKS, and the admin was unable to pull up the shell.

The pull of the image has been completed in the event, but the container will be disconnected immediately after it is started.

The following error message appears when viewing the rancher pod log:

http: proxy error: net/http: TLS handshake timeout

Try it in 2.6.5-2.6.8. Network policies: Calico. Kubernetes version: 1.22.11

[samjustus]

This was resolved in 2.6.10 and 2.7.1

@Jono-SUSE-Rancher Jono I cannot add the 2.7.1 milestone for some reason

[ryanthedev]

@Jono-SUSE-Rancher did this go out with 2.7.1? I updated and the issue persists. Have users who can use rancher kubectl config but not GUI shell.

[Jono-SUSE-Rancher]

@samjustus - Can you take a look at this with Andrew and see if this is still happening on upgrades to 2.7.1, and if so, sync up with Michael to confirm. If is please open another ticket and let's make sure it gets into v2.7.2.

[MbolotSuse]

@ryanthedev The long story short is that you will need to give the following rule at a cluster scope (recommend to use a RoleTemplate and a ClusterRoleTemplateBinding):

- apiGroups:
  - management.cattle.io
  resourceNames:
  - local
  resources:
  - clusters
  verbs:
  - get

Do not give this rule as a permission in the cluster rancher is installed in (commonly referred to as the local cluster). It is recommended that such access be restricted to Administrators only.

To provide more detail, when a user requests a shell in a cluster, we check if that user has that permission (does that user have get on the local cluster object in the target cluster). This allows users to control who can/cannot use the shell functionality (which uses a pod to execute commands, and has a certain security impact).