Setup Multi User

SUSE® Rancher Prime Continuous Delivery uses Kubernetes RBAC where possible.

One addition on top of RBAC is the GitRepoRestriction resource, which can be used to control GitRepo resources in a namespace.

A multi-user fleet setup looks like this:

  • tenants don’t share namespaces, each tenant has one or more namespaces on the upstream cluster, where they can create GitRepo resources

  • tenants can’t deploy cluster wide resources and are limited to a set of namespaces on downstream clusters

  • clusters are in a separate namespace

Shared Clusters
important information

The isolation of tenants is not complete and relies on Kubernetes RBAC to be set up correctly. Without manual setup from an operator tenants can still deploy cluster wide resources. Even with the available SUSE® Rancher Prime Continuous Delivery restrictions, users are only restricted to namespaces, but namespaces don’t provide much isolation on their own. E.g. they can still consume as many resources as they like.

However, the existing SUSE® Rancher Prime Continuous Delivery restrictions allow users to share clusters, and deploy resources without conflicts.

Example SUSE® Rancher Prime Continuous Delivery Standalone

This would create a user 'fleetuser', who can only manage GitRepo resources in the 'project1' namespace.

 kubectl create serviceaccount fleetuser
 kubectl create namespace project1
 kubectl create -n project1 role fleetuser --verb=get --verb=list --verb=create --verb=delete --resource=gitrepos.fleet.cattle.io
 kubectl create -n project1 rolebinding fleetuser --serviceaccount=default:fleetuser --role=fleetuser

If we want to give access to multiple namespaces, we can use a single cluster role with two role bindings:

 kubectl create clusterrole fleetuser --verb=get --verb=list --verb=create --verb=delete --resource=gitrepos.fleet.cattle.io
 kubectl create -n project1 rolebinding fleetuser --serviceaccount=default:fleetuser --clusterrole=fleetuser
 kubectl create -n project2 rolebinding fleetuser --serviceaccount=default:fleetuser --clusterrole=fleetuser

This makes sure, tenants can’t interfere with GitRepo resources from other tenants, since they don’t have access to their namespaces.

Example SUSE® Rancher Prime Continuous Delivery in Rancher

When a new fleet workspace is created, a corresponding namespace with an identical name is automatically generated within the Rancher local cluster. For a user to see and deploy fleet resources in a specific workspace, they need at least the following permissions:

  • list/get the fleetworkspace cluster-wide resource in the local cluster

  • Permissions to create fleet resources (such as bundles, gitrepos, …​) in the backing namespace for the workspace in the local cluster.

Let’s grant permissions to deploy fleet resources in the project1 and project2 fleet workspaces: