Custom Roles
Within Rancher, roles determine what actions a user can make within a cluster or project.
Note that roles are different from permissions, which determine what clusters and projects you can access.
It is possible for a custom role to enable privilege escalation. For details, see this section.
Prerequisites
To complete the tasks on this page, one of the following permissions are required:
- Administrator Global Permissions.
- Custom Global Permissions with the Manage Roles role assigned.
Creating A Custom Role for a Cluster or Project
While Rancher comes out-of-the-box with a set of default user roles, you can also create default custom roles to provide users with very specific permissions within Rancher.
The steps to add custom roles differ depending on the version of Rancher.
From the Global view, select Security > Roles from the main menu.
Select a tab to determine the scope of the roles you're adding. The tabs are:
- Cluster: The role is valid for assignment when adding/managing members to only clusters.
- Project: The role is valid for assignment when adding/managing members to only projects.
Click Add Cluster/Project Role.
Name the role.
Optional: Choose the Cluster/Project Creator Default option to assign this role to a user when they create a new cluster or project. Using this feature, you can expand or restrict the default roles for cluster/project creators.
Out of the box, the Cluster Creator Default and the Project Creator Default roles are
Cluster Owner
andProject Owner
respectively.Use the Grant Resources options to assign individual Kubernetes API endpoints to the role.
When viewing the resources associated with default roles created by Rancher, if there are multiple Kubernetes API resources on one line item, the resource will have
(Custom)
appended to it. These are not custom resources but just an indication that there are multiple Kubernetes API resources as one resource.The Resource text field provides a method to search for pre-defined Kubernetes API resources, or enter a custom resource name for the grant. The pre-defined or
(Custom)
resource must be selected from the dropdown, after entering a resource name into this field.You can also choose the individual cURL methods (
Create
,Delete
,Get
, etc.) available for use with each endpoint you assign.Use the Inherit from a Role options to assign individual Rancher roles to your custom roles. Note: When a custom role inherits from a parent role, the parent role cannot be deleted until the child role is deleted.
Click Create.
Creating a Custom Global Role
Creating a Custom Global Role that Copies Rules from an Existing Role
If you have a group of individuals that need the same level of access in Rancher, it can save time to create a custom global role in which all of the rules from another role, such as the administrator role, are copied into a new role. This allows you to only configure the variations between the existing role and the new role.
The custom global role can then be assigned to a user or group so that the custom global role takes effect the first time the user or users sign into Rancher.
To create a custom global role based on an existing role,
Go to the Global view and click Security > Roles.
On the Global tab, go to the role that the custom global role will be based on. Click ⋮ (…) > Clone.
Enter a name for the role.
Optional: To assign the custom role default for new users, go to the New User Default section and click Yes: Default role for new users.
In the Grant Resources section, select the Kubernetes resource operations that will be enabled for users with the custom role.
The Resource text field provides a method to search for pre-defined Kubernetes API resources, or enter a custom resource name for the grant. The pre-defined or
(Custom)
resource must be selected from the dropdown, after entering a resource name into this field.Click Save.
Creating a Custom Global Role that Does Not Copy Rules from Another Role
Custom global roles don't have to be based on existing roles. To create a custom global role by choosing the specific Kubernetes resource operations that should be allowed for the role, follow these steps:
Go to the Global view and click Security > Roles.
On the Global tab, click Add Global Role.
Enter a name for the role.
Optional: To assign the custom role default for new users, go to the New User Default section and click Yes: Default role for new users.
In the Grant Resources section, select the Kubernetes resource operations that will be enabled for users with the custom role.
The Resource text field provides a method to search for pre-defined Kubernetes API resources, or enter a custom resource name for the grant. The pre-defined or
(Custom)
resource must be selected from the dropdown, after entering a resource name into this field.Click Save.
Deleting a Custom Global Role
When deleting a custom global role, all global role bindings with this custom role are deleted.
If a user is only assigned one custom global role, and the role is deleted, the user would lose access to Rancher. For the user to regain access, an administrator would need to edit the user and apply new global permissions.
Custom global roles can be deleted, but built-in roles cannot be deleted.
To delete a custom global role,
- Go to the Global view and click Security > Roles.
- On the Global tab, go to the custom global role that should be deleted and click ⋮ (…) > Delete.
- Click Delete.
Assigning a Custom Global Role to a Group
If you have a group of individuals that need the same level of access in Rancher, it can save time to create a custom global role. When the role is assigned to a group, the users in the group have the appropriate level of access the first time they sign into Rancher.
When a user in the group logs in, they get the built-in Standard User global role by default. They will also get the permissions assigned to their groups.
If a user is removed from the external authentication provider group, they would lose their permissions from the custom global role that was assigned to the group. They would continue to have their individual Standard User role.
Prerequisites: You can only assign a global role to a group if:
- You have set up an external authentication provider
- The external authentication provider supports user groups
- You have already set up at least one user group with the authentication provider
To assign a custom global role to a group, follow these steps:
- From the Global view, go to Security > Groups.
- Click Assign Global Role.
- In the Select Group To Add field, choose the existing group that will be assigned the custom global role.
- In the Custom section, choose any custom global role that will be assigned to the group.
- Optional: In the Global Permissions or Built-in sections, select any additional permissions that the group should have.
- Click Create.
Result: The custom global role will take effect when the users in the group log into Rancher.
Privilege Escalation
The Configure Catalogs
custom permission is powerful and should be used with caution. When an admin assigns the Configure Catalogs
permission to a standard user, it could result in privilege escalation in which the user could give themselves admin access to Rancher provisioned clusters. Anyone with this permission should be considered equivalent to an admin.
The Manager Users
role grants the ability to create, update, and delete any user. This presents the risk of privilege escalation as even non-admin users with this role will be able to create, update, and delete admin users. Admins should take caution when assigning this role.