Long story short. I have a Rancher cluster. There is a foo project in the cluster and a bar namespace in the foo project rancher cluster -> foo project -> bar namespace. I assigned a user to the foo project with project-member role.
And my question is, how can I prevent the user from creating a Kubernetes secret object? I want to leave project-member role except a create secret permission and I want to achieve this in Rancher side.
What have I found out so far?
- I asked the ChatGTP about it and it gave my the following solution: "Create a RBAC objects: role and rolebinding with get, list and watch verbs for secrets resource. I don't want to create RBAC in my case.
- The Rancher's project-member role doesn't contain secret resource so I don't even know how a user with project-member role is able to create a secret. Could anyone explain it to me?
Update #1
By default, the Rancher role of project-member inherits from the Kubernetes-edit role, and the project-owner role inherits from the Kubernetes-admin role. As such, both project-member and project-owner roles will allow for namespace management, including the ability to create and delete namespaces. source
There is an edit ClusterRole object which contains permission for creating a secret.
Update #2
I can create a custom project role which will be inheriting from a Read-only role and then I can add the required permissions and roles. I think it might be the best option in my case. I won't mark the question as answered yet.
Thanks for advance!
This is what I've done to achieve my goal: