This message was deleted.

are the users project members of projects within the cluster, and what roles and resources did you update those verbs on?

These are permission I gave # Cluster level permissions resource "rancher2_role_template" "cluster_deployment_handler" { name = "scs-cluster-app-deployment-handler-role" context = "cluster" default_role = false description = "Cluster level permissions for application deployment handler" # View, drain and cordon node permissions rules { api_groups = ["management.cattle.io"] resources = ["nodes", "nodepools", "clustermonitorgraphs"] verbs = ["get", "list","watch"] } rules { api_groups = ["*"] resources = ["nodes"] verbs = ["get", "list", "watch"] } # Manage storage permissions rules { api_groups = ["*"] resources = ["storageclasses"] verbs = ["get", "list", "watch"] } rules { api_groups = ["*"] resources = ["persistentvolumes", "persistentvolumeclaims"] verbs = ["get", "list","watch"] } # View notifers rules { api_groups = ["management.cattle.io"] resources = ["notifiers"] verbs = ["get", "list", "watch"] } # Manage priority classes rules { api_groups = ["scheduling.k8s.io"] resources = ["priorityclasses"] verbs = ["get", "list","watch"] } } # Project level permissions resource "rancher2_role_template" "project_deployment_handler" { name = "scs-project-app-deployment-handler-role" context = "project" default_role = false description = "Project level permissions for application deployment handler" rules { api_groups = ["*"] resources = ["namespaces"] verbs = ["get", "list", "watch"] } # Configure alerts rules { api_groups = ["management.cattle.io"] resources = ["projectalertrules", "projectalertgroups"] verbs = ["get", "list","watch"] } rules { api_groups = ["*"] # For a list of k8s resources, see https://kubernetes.io/docs/reference/kubectl/overview/#resource-types resources = [ "configmaps", "endpoints", "events", "limitranges", "pods", "pods/log", "pods/exec", "pods/status", "podtemplates", "replicationcontrollers", "secrets", "serviceaccounts", "services", "daemonsets", "deployments", "deployments/scale", "replicasets", "statefulsets", "cronjobs", "jobs", "events", "ingresses", "poddisruptionbudgets", "rolebindings", "roles" ] verbs = ["get", "list","watch"] } } ## Read only roles # Cluster level permissions resource "rancher2_role_template" "cluster_readonly" { name = "scs-cluster-readonly-role" context = "cluster" default_role = true description = "Cluster level read only permissions" # View node permissions rules { api_groups = ["management.cattle.io"] resources = ["nodes", "nodepools", "clustermonitorgraphs"] verbs = ["get", "list", "watch"] } rules { api_groups = ["*"] resources = ["nodes"] verbs = ["get", "list", "watch"] } # View storage permissions rules { api_groups = ["*"] resources = ["storageclasses", "persistentvolumes", "persistentvolumeclaims"] verbs = ["get", "list", "watch"] } rules { api_groups = ["*"] resources = ["clusterroles", "clusterrolebindings", "clusterregistrationtokens"] verbs = ["get", "list", "watch"] } # View notifers rules { api_groups = ["management.cattle.io"] resources = ["notifiers"] verbs = ["get", "list", "watch"] } # View priority classes rules { api_groups = ["scheduling.k8s.io"] resources = ["priorityclasses"] verbs = ["get", "list", "watch"] } #View validating webhook configuration rules { api_groups = ["admissionregistration.k8s.io"] resources = ["validatingwebhookconfigurations"] verbs = ["get", "list", "watch"] } #View ingress classes rules { api_groups = ["networking.k8s.io"] resources = ["ingressclasses"] verbs = ["get", "list", "watch"] } } # Project level permissions resource "rancher2_role_template" "project_readonly" { name = "scs-project-readonly-role" context = "project" default_role = true description = "Project level read only permissions" # View namespaces and resource quota rules { api_groups = ["*"] resources = ["namespaces", "resourcequotas"] verbs = ["get", "list", "watch"] } # View alerts rules { api_groups = ["management.cattle.io"] resources = ["projectalertrules", "projectalertgroups"] verbs = ["get", "list", "watch"] } # View K8s resources rules { api_groups = ["*"] resources = [ "configmaps", "endpoints", "events", "limitranges", "pods", "pods/log", "pods/status", "podtemplates", "replicationcontrollers", "secrets", "serviceaccounts", "services", "daemonsets", "deployments", "replicasets", "statefulsets", "cronjobs", "jobs", "events", "ingresses", "poddisruptionbudgets", "rolebindings", "roles" ] verbs = ["get", "list", "watch"] } } resource "rancher2_role_template" "cluster_deployment_assign" { name = "scs-cluster-app-deployment-assign-role" context = "cluster" default_role = false description = "Cluster level permissions to assign application deployment handler" # Add / Remove role to user permissions rules { api_groups = ["management.cattle.io"] resources = [ "clusterroletemplatebindings" ] verbs = ["create", "delete"] } } resource "rancher2_role_template" "cluster_owner" { name = "scs-cluster-owner-role" description = "Full control over a cluster." default_role = false context = "cluster" # Context can be 'cluster' or 'project' rules { api_groups = ["*"] # Grants access to all API groups resources = ["*"] # Grants access to all resources verbs = ["*"] # Grants all actions like get, list, create, delete, etc. } # Additional rules for managing projects and project memberships rules { api_groups = ["management.cattle.io"] resources = ["nodes", "nodepools", "clustermonitorgraphs"] verbs = ["get", "list", "watch", "update"] } rules { api_groups = ["*"] resources = ["nodes"] verbs = ["get", "list", "watch"] } rules { api_groups = [""] resources = ["namespaces"] verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rules { non_resource_urls = ["*"] # Grants access to all non-resource URLs verbs = ["*"] } } }