If you want to provide a user with access and permissions to specific projects and resources within a cluster, assign the user a project membership.
You can add members to a project as it is created, or add them to an existing project.
Want to provide a user with access to all projects within a cluster? See Adding Cluster Members instead.
Adding Members to a New Project
You can add members to a project as you create it (recommended if possible). For details on creating a new project, refer to the cluster administration section.
Adding Members to an Existing Project
Following project creation, you can add users as project members so that they can access its resources.
In the upper left corner, click ☰ > Cluster Management.
On the Clusters page, go to the cluster where you want to add members to a project and click Explore.
Click Cluster > Projects/Namespaces.
Go to the project where you want to add members. Next to the Create Namespace button above the project name, click ☰. Select Edit Config.
In the Members tab, click Add.
Search for the user or group that you want to add to the project.
If external authentication is configured:
Rancher returns users from your external authentication source as you type.
A drop-down allows you to add groups instead of individual users. The dropdown only lists groups that you, the logged in user, are included in.
If you are logged in as a local user, external users do not display in your search results.
Assign the user or group Project roles.Notes:
Users assigned the
Memberrole for a project automatically inherit the
namespace creationrole. However, this role is a Kubernetes ClusterRole, meaning its scope extends to all projects in the cluster. Therefore, users explicitly assigned the
Memberrole for a project can create or delete namespaces in other projects they're assigned to, even with only the
Read Onlyrole assigned.
By default, the Rancher role of
project-memberinherits from the
Kubernetes-editrole, and the
project-ownerrole inherits from the
Kubernetes-adminrole. As such, both
project-ownerroles will allow for namespace management, including the ability to create and delete namespaces.
Customroles, you can modify the list of individual roles available for assignment.
Result: The chosen users are added to the project.
- To revoke project membership, select the user and click Delete. This action deletes membership, not the user.
- To modify a user's roles in the project, delete them from the project, and then re-add them with modified roles.