Rancher Permissions Issue We've encountered a problem in our Rancher environment: Previously, some users were assigned as Cluster Owners. I’ve removed their owner access and updated their permissions to only allow

view

,

watch

, and

list

verbs. However, they’re still able to perform actions they had access to as owners (e.g., edit or delete resources), which shouldn’t be the case. Has anyone seen this behavior before or know if there’s a delay/cache in permission updates? Any help is appreciated. 🙏

are the users project members of projects within the cluster, and what roles and resources did you update those verbs on?

These are permission I gave # Cluster level permissions resource "rancher2_role_template" "cluster_deployment_handler" { name = "scs-cluster-app-deployment-handler-role" context = "cluster" default_role = false description = "Cluster level permissions for application deployment handler" # View, drain and cordon node permissions rules { api_groups = ["management.cattle.io"] resources = ["nodes", "nodepools", "clustermonitorgraphs"] verbs = ["get", "list","watch"] } rules { api_groups = ["*"] resources = ["nodes"] verbs = ["get", "list", "watch"] } # Manage storage permissions rules { api_groups = ["*"] resources = ["storageclasses"] verbs = ["get", "list", "watch"] } rules { api_groups = ["*"] resources = ["persistentvolumes", "persistentvolumeclaims"] verbs = ["get", "list","watch"] } # View notifers rules { api_groups = ["management.cattle.io"] resources = ["notifiers"] verbs = ["get", "list", "watch"] } # Manage priority classes rules { api_groups = ["scheduling.k8s.io"] resources = ["priorityclasses"] verbs = ["get", "list","watch"] } } # Project level permissions resource "rancher2_role_template" "project_deployment_handler" { name = "scs-project-app-deployment-handler-role" context = "project" default_role = false description = "Project level permissions for application deployment handler" rules { api_groups = ["*"] resources = ["namespaces"] verbs = ["get", "list", "watch"] } # Configure alerts rules { api_groups = ["management.cattle.io"] resources = ["projectalertrules", "projectalertgroups"] verbs = ["get", "list","watch"] } rules { api_groups = ["*"] # For a list of k8s resources, see https://kubernetes.io/docs/reference/kubectl/overview/#resource-types resources = [ "configmaps", "endpoints", "events", "limitranges", "pods", "pods/log", "pods/exec", "pods/status", "podtemplates", "replicationcontrollers", "secrets", "serviceaccounts", "services", "daemonsets", "deployments", "deployments/scale", "replicasets", "statefulsets", "cronjobs", "jobs", "events", "ingresses", "poddisruptionbudgets", "rolebindings", "roles" ] verbs = ["get", "list","watch"] } } ## Read only roles # Cluster level permissions resource "rancher2_role_template" "cluster_readonly" { name = "scs-cluster-readonly-role" context = "cluster" default_role = true description = "Cluster level read only permissions" # View node permissions rules { api_groups = ["management.cattle.io"] resources = ["nodes", "nodepools", "clustermonitorgraphs"] verbs = ["get", "list", "watch"] } rules { api_groups = ["*"] resources = ["nodes"] verbs = ["get", "list", "watch"] } # View storage permissions rules { api_groups = ["*"] resources = ["storageclasses", "persistentvolumes", "persistentvolumeclaims"] verbs = ["get", "list", "watch"] } rules { api_groups = ["*"] resources = ["clusterroles", "clusterrolebindings", "clusterregistrationtokens"] verbs = ["get", "list", "watch"] } # View notifers rules { api_groups = ["management.cattle.io"] resources = ["notifiers"] verbs = ["get", "list", "watch"] } # View priority classes rules { api_groups = ["scheduling.k8s.io"] resources = ["priorityclasses"] verbs = ["get", "list", "watch"] } #View validating webhook configuration rules { api_groups = ["admissionregistration.k8s.io"] resources = ["validatingwebhookconfigurations"] verbs = ["get", "list", "watch"] } #View ingress classes rules { api_groups = ["networking.k8s.io"] resources = ["ingressclasses"] verbs = ["get", "list", "watch"] } } # Project level permissions resource "rancher2_role_template" "project_readonly" { name = "scs-project-readonly-role" context = "project" default_role = true description = "Project level read only permissions" # View namespaces and resource quota rules { api_groups = ["*"] resources = ["namespaces", "resourcequotas"] verbs = ["get", "list", "watch"] } # View alerts rules { api_groups = ["management.cattle.io"] resources = ["projectalertrules", "projectalertgroups"] verbs = ["get", "list", "watch"] } # View K8s resources rules { api_groups = ["*"] resources = [ "configmaps", "endpoints", "events", "limitranges", "pods", "pods/log", "pods/status", "podtemplates", "replicationcontrollers", "secrets", "serviceaccounts", "services", "daemonsets", "deployments", "replicasets", "statefulsets", "cronjobs", "jobs", "events", "ingresses", "poddisruptionbudgets", "rolebindings", "roles" ] verbs = ["get", "list", "watch"] } } resource "rancher2_role_template" "cluster_deployment_assign" { name = "scs-cluster-app-deployment-assign-role" context = "cluster" default_role = false description = "Cluster level permissions to assign application deployment handler" # Add / Remove role to user permissions rules { api_groups = ["management.cattle.io"] resources = [ "clusterroletemplatebindings" ] verbs = ["create", "delete"] } } resource "rancher2_role_template" "cluster_owner" { name = "scs-cluster-owner-role" description = "Full control over a cluster." default_role = false context = "cluster" # Context can be 'cluster' or 'project' rules { api_groups = ["*"] # Grants access to all API groups resources = ["*"] # Grants access to all resources verbs = ["*"] # Grants all actions like get, list, create, delete, etc. } # Additional rules for managing projects and project memberships rules { api_groups = ["management.cattle.io"] resources = ["nodes", "nodepools", "clustermonitorgraphs"] verbs = ["get", "list", "watch", "update"] } rules { api_groups = ["*"] resources = ["nodes"] verbs = ["get", "list", "watch"] } rules { api_groups = [""] resources = ["namespaces"] verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rules { non_resource_urls = ["*"] # Grants access to all non-resource URLs verbs = ["*"] } } }