rancher
Investigate RBAC issue with turtles
When Turtles automatically imports a CAPI cluster into Rancher by generating the Rancher Cluster it results in some repeated RBAC errors being generated.
If you import a Cluster via the RM UI the webhook will add a "creator" and Rancher will use this to automatically allow the creator access via RBAC. With RT we don't add the creator id.
Whats needed from this:
- [ ] Import a cluster via Turtles and document the RBAC error related to the cluster
- [ ] Create a cluster via CAPI but not import via Turtles. Instead import via the RM UI and note whether the same issue happen
Can we please add details to the issue description so someone interested picking it up has an overall view and scope of the problem?
@richardcase iirc that was a draft issue from you which I converted to a Turtles one 😉
@kkaempf @furkatgofurov7 - i've updated the description. We can also jump on a quick call to discuss.
After raising this in the Rancher RBAC channel, there is a new issue open to track progress on this https://github.com/rancher/rancher/issues/45591.
A new annotation field.cattle.io/noCreatorRBAC that when applied to a cluster, it skips the step where it creates the ClusterOwner/ProjectOwner roles and bindings.
- https://github.com/rancher/webhook/pull/511
- https://github.com/rancher/rancher/pull/47259
This change will most likely be available in Rancher v2.10. Then, we will able to use this feature by adding the annotation via Turtles.
Test confirms that it works as expected. The environment used for validation was:
- Rancher v2.10.0
- Turtles v0.15.0-rc1
First provisioned a CAPI cluster using the AWS provider and set label for auto-import. The cluster was imported successfully and Rancher logs showed the expected new rbac opt-out feature:
[mgmt-cluster-rbac-delete] annotation field.cattle.io/no-creator-rbac found. Skipping adding creator as owner
