rancher
/
fleet-docs
mirror of https://github.com/rancher/fleet-docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Rancher example multi-user doc (#127) 

Add Rancher multi-user doca
This commit is contained in:
Raul Cabello Martin 2024-04-26 11:29:37 +02:00 committed by GitHub
parent 1055f1106d
commit 635a97ae4b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 74 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
docs/multi-user.md
View File

@ -28,7 +28,7 @@ deploy resources without conflicts.
:::
## Example User
## Example Fleet Standalone
This would create a user 'fleetuser', who can only manage GitRepo resources in the 'project1' namespace.
@ -45,6 +45,79 @@ If we want to give access to multiple namespaces, we can use a single cluster ro
This makes sure, tenants can't interfere with GitRepo resources from other tenants, since they don't have access to their namespaces.
## Example Fleet in Rancher
When a new fleet workspace is created, a corresponding namespace with an identical name is automatically generated within the Rancher local cluster.
For a user to see and deploy fleet resources in a specific workspace, they need at least the following permissions:
- list/get the `fleetworkspace` cluster-wide resource in the local cluster
- Permissions to create fleet resources (such as `bundles`, `gitrepos`, ...) in the backing namespace for the workspace in the local cluster.
Let's grant permissions to deploy fleet resources in the `project1` and `project2` fleet workspaces:
- To create the `project1` and `project2` fleet workspaces, you can either do it in the [Rancher UI](https://ranchermanager.docs.rancher.com/integrations-in-rancher/fleet/overview#accessing-fleet-in-the-rancher-ui) or use the following YAML resources:
```
apiVersion: management.cattle.io/v3
kind: FleetWorkspace
metadata:
name: project1
```
```
apiVersion: management.cattle.io/v3
kind: FleetWorkspace
metadata:
name: project2
```
- Create a `GlobalRole` that grants permission to deploy fleet resources in the `project1` and `project2` fleet workspaces:
```
apiVersion: management.cattle.io/v3
kind: GlobalRole
metadata:
name: fleet-projects1and2
namespacedRules:
project1:
- apiGroups:
- fleet.cattle.io
resources:
- gitrepos
- bundles
- clusterregistrationtokens
- gitreporestrictions
- clusters
- clustergroups
verbs:
- '*'
project2:
- apiGroups:
- fleet.cattle.io
resources:
- gitrepos
- bundles
- clusterregistrationtokens
- gitreporestrictions
- clusters
- clustergroups
verbs:
- '*'
rules:
- apiGroups:
- management.cattle.io
resourceNames:
- project1
- project2
resources:
- fleetworkspaces
verbs:
- '*'
```
Assign the `GlobalRole` to users or groups, more info can be found in the [Rancher docs](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/global-permissions#configuring-global-permissions-for-individual-users)
The user now has access to the `Continuous Delivery` tab in Rancher and can deploy resources to both the `project1` and `project2` workspaces.
## Allow Access to Clusters
This assumes all GitRepos created by 'fleetuser' have the `team: one` label. Different labels could be used, to select different cluster namespaces.