Apparently everybody with ClusterMember permission can create his own project without resource limits and become a ProjectOwner. Would it be possible to fix this? How about setting at least some default project constraints for each managed cluster?

That is the default behavior: https://ranchermanager.docs.rancher.com/v2.5/how-to-guides/advanced-user-guides/authenticati[…]e-based-access-control-rbac/cluster-and-project-roles Not sure what your use case is, but sounds like it would be worth reading on the built-in project roles, and how to create your own custom role.

I understand that this is the default, but its a bad choice (IMHO). Creating new projects should be the job of the cluster owner. I do have a derived ClusterMember role (based on the default ClusterMember role). How can I remove the permission to create projects in the derived role?