https://rancher.com/ logo
Title
f

freezing-hairdresser-79403

05/04/2023, 7:23 AM
Is it possible to disable the default Rancher-created projects, during the Rancher installation ? I am referring to the projects that group the namespaces
b

brainy-printer-12087

05/04/2023, 7:46 AM
do you mean that you would like to disable the project feature?
f

freezing-hairdresser-79403

05/04/2023, 7:48 AM
the ability to delete the default projects created by Rancher and create new ones instead (while leaving the project feature itself enabled)? It's worth noting that deleting the default "System" project may not be possible.
b

brainy-printer-12087

05/04/2023, 7:53 AM
Why would you want to delete the
System
project? It’s done specifically to avoid to remove Rancher related parts
f

freezing-hairdresser-79403

05/04/2023, 7:54 AM
Sorry, may be it's not clear enough I would like to delete a no system project, like "default" project.
And then create a new ones
b

brainy-printer-12087

05/04/2023, 7:58 AM
I can understand about have no projects and start from scratch, but what would be the benefit of creating one anyway afterwards?
f

freezing-hairdresser-79403

05/04/2023, 8:14 AM
To achieve my goal, I would like to manage the role-based access control for both system and non-system namespaces, such as kube-system. This will help me to have better control over access to Kubernetes resources and manage user permissions more effectively.
I plan to create an additional non-system project that contains all of the namespaces for the workload. Then, I will assign users to this project as members based on their scope of access. This approach will provide me with more granular control over access to Kubernetes resources and better management of user permissions.
I will need to deploy the additional non-system project during the Rancher installation process
b

brainy-printer-12087

05/04/2023, 8:34 AM
You mean after the installation, no? Because otherwise it would mean to set both projects and users at the same time or I’m missing something 😅 To have projects configured as you described is pretty much what the feature is for. Do you maybe mean that some system namespaces are not in a project?
f

freezing-hairdresser-79403

05/04/2023, 2:01 PM
@brainy-printer-12087 Sorry, if it was not clear enough. It seems that two projects, "system" and "default", have already been created to hold the kube-system namespace and others. However, my goal is to create a new project that will hold all of the namespaces required to run my workload. My question is this: is it possible to create a new project during the Rancher installation process and then assign specific roles and permissions to users for that project ? or may be during the installaion of a downstream cluster ? I am using helm chart to install rancher and others downstream clusters.
b
f

freezing-hairdresser-79403

05/04/2023, 7:13 PM
Yes
Is there a specific Custom Resource Definition (CRD) in Rancher that can be used to create project and project role mappings through a YAML file?
b

brainy-printer-12087

05/04/2023, 7:44 PM
No, however the mapping of NS to project is handled via an annotation on the namespace
f

freezing-hairdresser-79403

05/04/2023, 7:45 PM
Understood, so it seems that the most viable option now is to utilize the Rancher API.
However, I am able to find the
<http://projects.management.cattle.io|projects.management.cattle.io>	Project
Custom Resource Definition (CRD) when listing all CRDs in my Rancher cluster.
Is the
<http://projects.management.cattle.io|projects.management.cattle.io>	Project
CRD currently unusable or not yet ready for use?
@brainy-printer-12087 Hey ! Please Activating Rancher with an external identity provider such as Azure AD through the API, it's possible ?
👀 1
tested but is not working as expected ! the identity provider is activated but the groups of user is not being pulled into Rancher
b

brainy-printer-12087

05/05/2023, 4:57 PM
What do you mean by “Activating”? For the admin as initial user? If I recall correctly in the documentation the first user should be
admin
then we even recommend the use of external identity providers
f

freezing-hairdresser-79403

05/05/2023, 5:02 PM
After making a call to the Rancher API to enable Azure AD using the following curl command, I can see that Azure AD is activated in the dashboard. However, no user groups are being pulled down into the Rancher cluster.
curl -s -k -H "Authorization: Bearer ${TOKEN}" \
     -H 'Content-Type: application/json' \
     -X PUT -d '{"name": "azuread", "enabled": true, "type": "azureADConfig", "tenantId": "xxxxxxxxxxxxxxxxxxxxxxx", "applicationId": "xxxxxxxxxxxxxxxxxxxx", "applicationSecret": "xxxxxxxxxxxxxxxxxxxxx", "endpoint": "<https://login.microsoftonline.com/>", "accessMode": "unrestricted", "tokenEndpoint": "<https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/token>","graphEndpoint": "<https://graph.microsoft.com>", "authEndpoint": "<https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/authorize>", "rancherUrl": "<https://rancher.example.net/verify-auth-azure>"}' \
	 "<https://rancher.example.net/v3/azureADConfigs/azuread>"
However, when activating Azure AD through the UI, there are at least three API calls made to get the authorization code and perform other necessary actions. I would like to know if the API call I have made above is sufficient to enable Azure AD to work seamlessly with Rancher?
Yes, I do have an initial admin account with which I can log in to Rancher and activate Azure AD. However, my goal is to perform this activation through Rancher API calls.
using the
curl
commands
@brainy-printer-12087 let me know if it's clear enough