Enforcing Templates

This section describes how template administrators can enforce templates in Rancher, restricting the ability of users to create clusters without a template.

By default, any standard user in Rancher can create clusters. But when RKE template enforcement is turned on,

  • Only an administrator has the ability to create clusters without a template.

  • All standard users must use an RKE template to create a new cluster.

  • Standard users cannot create a cluster without using a template.

Users can only create new templates if the administrator gives them permission.

After a cluster is created with an RKE template, the cluster creator cannot edit settings that are defined in the template. The only way to change those settings after the cluster is created is to upgrade the cluster to a new revision of the same template. If cluster creators want to change template-defined settings, they would need to contact the template owner to get a new revision of the template. For details on how template revisions work, refer to the documentation on revising templates.

Requiring New Clusters to Use an RKE Template

You might want to require new clusters to use a template to ensure that any cluster launched by a standard user will use the Kubernetes and/or Rancher settings that are vetted by administrators.

To require new clusters to use an RKE template, administrators can turn on RKE template enforcement with the following steps:

  1. Click ☰ > Global Settings.

  2. Go to the cluster-template-enforcement setting. Click ⋮ > Edit Setting.

  3. Set the value to True and click Save.

    Important:

    When the admin sets the cluster-template-enforcement to True, they also need to share the clusterTemplates with users so that users can select one of these templates to create the cluster.

Result: All clusters provisioned by Rancher must use a template, unless the creator is an administrator.

Disabling RKE Template Enforcement

To allow new clusters to be created without an RKE template, administrators can turn off RKE template enforcement with the following steps:

  1. Click ☰ > Global Settings.

  2. Go to the cluster-template-enforcement setting. Click ⋮ > Edit Setting.

  3. Set the value to False and click Save.

Result: When clusters are provisioned by Rancher, they don’t need to use a template.