Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
l
little-art-55288
04/04/2023, 11:18 PMHi,
Can i limit rancher users permissions limited to specific clusters using global roles?
q
quaint-oyster-88347
04/04/2023, 11:31 PMYes you place users with specific roles from global, cluster, project level permissions. Just go under "users & authentication" There you create and assign roles and permissions.
l
little-art-55288
04/04/2023, 11:34 PMi am running cluster autoscaler with rancher provider. This autoscaler needs token to access rancher apis such as updating specific cluster to scale up/down. I want to limit this token to specific cluster alone.
Note: scoped token does not work as per the following: https://github.com/rancher/rancher/issues/29943
cluster role will not help here as i must provide global privileges to the user to send api calls to rancher for scaling up and scaling down a cluster. But if i set global verbs e.g. list, update, etc, it will be applicable to all clusters ..
q
quaint-oyster-88347
04/04/2023, 11:40 PMHmm.... Perhaps you can create a local user and specify the role specific parameters. then create a new API token based on the local user.
l
little-art-55288
04/04/2023, 11:41 PMI did that; since it is global role, it will be applicable to all clusters.
is there a way to limit global role permissions to specific clusters only?
q
quaint-oyster-88347
04/04/2023, 11:44 PMBut I believe you are to scope the api token during the creation process.
l
little-art-55288
04/04/2023, 11:44 PMscoped api token does not work with rancher apis or rancher cli ...
so scoped api token does not work with autoscaler at all ..
q
quaint-oyster-88347
04/04/2023, 11:49 PMwhat version of rancher are you running...
l
little-art-55288
04/04/2023, 11:49 PM2.6.11
q
quaint-oyster-88347
04/04/2023, 11:49 PMInteresting.... I'll look into it.
l
little-art-55288
04/04/2023, 11:50 PMthanks
are you from rancher team or community member ?
q
quaint-oyster-88347
04/04/2023, 11:52 PMCommunity member but I've be Admin / Engineer using Rancher since it infancy .. I'm an early adopter. I have terraform running on my work cluster I don't have it running in my home cluster..
l
little-art-55288
04/04/2023, 11:52 PMgreat ... looking forward to hear from you if you find any solution 🙂
q
quaint-oyster-88347
04/05/2023, 12:00 AMno problem
l
little-art-55288
04/07/2023, 5:05 PM@quaint-oyster-88347 did you get a chance to look at it.