End-to-End Kubernetes with Rancher, RKE2, K3s, Fleet, Longhorn, and NeuVector

Managing Multi-User/Team Access to Workspaces

Fleet allows you to manage who and how users access workspaces. You can define roles and permissions for users and teams to access resources in different workspaces. This feature is useful when you have a large team managing multiple resources.

At this stage, we have 4 Fleet workspaces:

• fleet-default workspace with the RKE2 cluster.
• dev workspace with the dev-cluster cluster.
• staging workspace with the staging-cluster cluster.
• fleet-local workspace with the local Rancher cluster. This is not intended to be used for managing downstream clusters.

fleet-default, dev, and staging workspaces all have their respective namespaces and GitRepo resources. They could be managed by different teams independently.

For our practical example, we will:

• Create a GlobalRole called developer-with-fleet-access that allows users to manage resources in the dev and staging workspaces.
• Create a user called developer and assign the developer-with-fleet-access GlobalRole to the user.
• Log in as the developer user and verify that the user can only see the dev and staging workspaces and the resources within them.

The goal, as you guessed, is to restrict the developer user to only see, use, and update the dev and staging workspaces and the resources within them.

To create the GlobalRole, you can go to CONFIGURATION > Users & Authentication > Role Templates > Create GlobalRole. We can also create the GlobalRole using kubectl and the following YAML manifest:

kubectl apply -f - <
apiVersion: management.cattle.io/v3
kind: GlobalRole
metadata:
  name: developer-with-fleet-access
namespacedRules:
  dev:
    - apiGroups:
        - fleet.cattle.io
      resources:
        - secrets
        - gitrepos
        - bundles
        - clusterregistrationtokens
        - clusters
        - clustergroups
      verbs: