角色
Within Rancher, roles determine what actions a user can make within a cluster or project.
Note that roles are different from permissions, which determine what clusters and projects you can access.
先决条件:
To complete the tasks on this page, the following permissions are required:
- Administrator Global Permissions.
- Custom Global Permissions with the Manage Roles role assigned.
Adding A Custom Role
While Rancher comes out-of-the-box with a set of default user roles, you can also create custom roles to provide users with very specific permissions within Rancher.
From the Global view, select Security > Roles from the main menu.
Click Add Role.
Name the role.
Choose whether to set the role to a status of locked.
Locked roles cannot be assigned to users.
Assign the role a Context. Context determines the scope of role assigned to the user. The contexts are:
- All
The user can use their assigned role regardless of context. This role is valid for assignment when adding/managing members to clusters or projects.
- Cluster
This role is valid for assignment when adding/managing members to only clusters.
- Project
This role is valid for assignment when adding/managing members to only projects.
- Use the Grant Resources options to assign individual Kubernetes API endpoints to the role.
You can also choose the individual cURL methods (Create
, Delete
, Get
, etc.) available for use with each endpoint you assign.
Use the Inherit from a Role options to assign individual Rancher roles to your custom roles.
Click Create.
Locking/Unlocking Roles
If you want to prevent a role from being assigned to users, you can set it to a status of locked
. For more information about what this status means, see Locked Roles.
You can lock roles in two contexts:
- When you’re adding a custom role.
- When you editing an existing role (see below).
From the Global view, select Security > Roles.
From the role that you want to lock (or unlock), select Vertical Ellipsis (…) > Edit.
From the Locked option, choose the Yes or No radio button. Then click Save.