change: [M3-9585] - Restricted users should not be allowed to add / update the Kubernetes Cluster (linode#12360)

* Begin adding isLkeClusterRestricted logic

* Finish disabling rest of actions

* Added changeset: Kubernetes cluster details to show restricted access warnings and disabled actions

* Update packages/manager/src/features/Kubernetes/KubernetesClusterDetail/KubernetesClusterDetail.tsx

Co-authored-by: Banks Nussman <115251059+bnussman-akamai@users.noreply.github.com>

* Move static Notice outside render tree

---------

Co-authored-by: Banks Nussman <115251059+bnussman-akamai@users.noreply.github.com>

Author: bill-akamai

packages/manager/.changeset/pr-12360-changed-1749586301652.md

@@ -0,0 +1,5 @@
+---
+"@linode/manager": Changed
+---
+
+Kubernetes cluster details to show restricted access warnings and disabled actions ([#12360](https://github.com/linode/manager/pull/12360))

packages/manager/src/features/Kubernetes/KubernetesClusterDetail/KubernetesClusterDetail.tsx

@@ -1,15 +1,17 @@
 import { useAccount, useRegionsQuery } from '@linode/queries';
-import { Box, CircleProgress, ErrorState, Stack } from '@linode/ui';
+import { Box, CircleProgress, ErrorState, Notice, Stack } from '@linode/ui';
 import { useLocation, useParams } from '@tanstack/react-router';
 import * as React from 'react';
 
 import { DocumentTitleSegment } from 'src/components/DocumentTitle';
 import { LandingHeader } from 'src/components/LandingHeader';
+import { getRestrictedResourceText } from 'src/features/Account/utils';
 import {
   useAPLAvailability,
   useKubernetesBetaEndpoint,
 } from 'src/features/Kubernetes/kubeUtils';
 import { getKubeHighAvailability } from 'src/features/Kubernetes/kubeUtils';
+import { useIsResourceRestricted } from 'src/hooks/useIsResourceRestricted';
 import {
   useKubernetesClusterMutation,
   useKubernetesClusterQuery,
@@ -22,6 +24,17 @@ import { NodePoolsDisplay } from './NodePoolsDisplay/NodePoolsDisplay';
 import { UpgradeKubernetesClusterToHADialog } from './UpgradeClusterDialog';
 import UpgradeKubernetesVersionBanner from './UpgradeKubernetesVersionBanner';
 
+const restrictedLkeNotice = (
+  <Notice
+    text={getRestrictedResourceText({
+      action: 'edit',
+      resourceType: 'LKE Clusters',
+      isSingular: true,
+    })}
+    variant="warning"
+  />
+);
+
 export const KubernetesClusterDetail = () => {
   const { data: account } = useAccount();
   const { clusterId } = useParams({ from: '/kubernetes/clusters/$clusterId' });
@@ -46,6 +59,12 @@ export const KubernetesClusterDetail = () => {
   const { isClusterHighlyAvailable, showHighAvailability } =
     getKubeHighAvailability(account, cluster);
 
+  const isLkeClusterRestricted = useIsResourceRestricted({
+    grantLevel: 'read_only',
+    grantType: 'lkecluster',
+    id: cluster?.id,
+  });
+
   const [updateError, setUpdateError] = React.useState<string | undefined>();
   const [isUpgradeToHAOpen, setIsUpgradeToHAOpen] = React.useState(false);
 
@@ -91,6 +110,7 @@ export const KubernetesClusterDetail = () => {
         clusterTier={cluster?.tier ?? 'standard'} // TODO LKE: remove fallback once LKE-E is in GA and tier is required
         currentVersion={cluster?.k8s_version}
       />
+      {isLkeClusterRestricted && restrictedLkeNotice}
       <LandingHeader
         breadcrumbProps={{
           breadcrumbDataAttrs: { 'data-qa-breadcrumb': true },
@@ -134,6 +154,7 @@ export const KubernetesClusterDetail = () => {
             clusterLabel={cluster.label}
             clusterRegionId={cluster.region}
             clusterTier={cluster.tier ?? 'standard'}
+            isLkeClusterRestricted={isLkeClusterRestricted}
             regionsData={regionsData || []}
           />
         </Stack>

packages/manager/src/features/Kubernetes/KubernetesClusterDetail/NodePoolsDisplay/NodeActionMenu.tsx

@@ -10,18 +10,24 @@ import type { Theme } from '@mui/material/styles';
 
 interface Props {
   instanceLabel?: string;
+  isLkeClusterRestricted: boolean;
   nodeId?: string;
   openRecycleNodeDialog: (nodeID: string, linodeLabel: string) => void;
 }
 
 export const NodeActionMenu = (props: Props) => {
-  const { instanceLabel, nodeId, openRecycleNodeDialog } = props;
+  const {
+    instanceLabel,
+    isLkeClusterRestricted,
+    nodeId,
+    openRecycleNodeDialog,
+  } = props;
   const theme = useTheme<Theme>();
   const matchesSmDown = useMediaQuery(theme.breakpoints.down('md'));
 
   const actions = [
     {
-      disabled: !nodeId || !instanceLabel,
+      disabled: !nodeId || !instanceLabel || isLkeClusterRestricted,
       onClick: () => {
         if (!nodeId || !instanceLabel) {
           return;

packages/manager/src/features/Kubernetes/KubernetesClusterDetail/NodePoolsDisplay/NodePool.tsx

@@ -35,6 +35,7 @@ interface Props {
   handleClickAutoscale: (poolId: number) => void;
   handleClickLabelsAndTaints: (poolId: number) => void;
   handleClickResize: (poolId: number) => void;
+  isLkeClusterRestricted: boolean;
   isOnlyNodePool: boolean;
   nodes: PoolNodeResponse[];
   openDeletePoolDialog: (poolId: number) => void;
@@ -60,6 +61,7 @@ export const NodePool = (props: Props) => {
     handleClickAutoscale,
     handleClickLabelsAndTaints,
     handleClickResize,
+    isLkeClusterRestricted,
     isOnlyNodePool,
     nodes,
     openDeletePoolDialog,
@@ -116,23 +118,27 @@ export const NodePool = (props: Props) => {
               <ActionMenu
                 actionsList={[
                   {
+                    disabled: isLkeClusterRestricted,
                     onClick: () => handleClickLabelsAndTaints(poolId),
                     title: 'Labels and Taints',
                   },
                   {
+                    disabled: isLkeClusterRestricted,
                     onClick: () => handleClickAutoscale(poolId),
                     title: 'Autoscale Pool',
                   },
                   {
+                    disabled: isLkeClusterRestricted,
                     onClick: () => handleClickResize(poolId),
                     title: 'Resize Pool',
                   },
                   {
+                    disabled: isLkeClusterRestricted,
                     onClick: () => openRecycleAllNodesDialog(poolId),
                     title: 'Recycle Pool Nodes',
                   },
                   {
-                    disabled: isOnlyNodePool,
+                    disabled: isLkeClusterRestricted || isOnlyNodePool,
                     onClick: () => openDeletePoolDialog(poolId),
                     title: 'Delete Pool',
                     tooltip: isOnlyNodePool
@@ -155,6 +161,7 @@ export const NodePool = (props: Props) => {
             >
               <StyledActionButton
                 compactY
+                disabled={isLkeClusterRestricted}
                 onClick={(e) => {
                   e.stopPropagation();
                   handleClickLabelsAndTaints(poolId);
@@ -164,6 +171,7 @@ export const NodePool = (props: Props) => {
               </StyledActionButton>
               <StyledActionButton
                 compactY
+                disabled={isLkeClusterRestricted}
                 onClick={(e) => {
                   e.stopPropagation();
                   handleClickAutoscale(poolId);
@@ -178,6 +186,7 @@ export const NodePool = (props: Props) => {
               )}
               <StyledActionButton
                 compactY
+                disabled={isLkeClusterRestricted}
                 onClick={(e) => {
                   e.stopPropagation();
                   handleClickResize(poolId);
@@ -187,6 +196,7 @@ export const NodePool = (props: Props) => {
               </StyledActionButton>
               <StyledActionButton
                 compactY
+                disabled={isLkeClusterRestricted}
                 onClick={(e) => {
                   e.stopPropagation();
                   openRecycleAllNodesDialog(poolId);
@@ -204,7 +214,7 @@ export const NodePool = (props: Props) => {
                 <div>
                   <StyledActionButton
                     compactY
-                    disabled={isOnlyNodePool}
+                    disabled={isLkeClusterRestricted || isOnlyNodePool}
                     onClick={(e) => {
                       e.stopPropagation();
                       openDeletePoolDialog(poolId);
@@ -227,6 +237,7 @@ export const NodePool = (props: Props) => {
         clusterId={clusterId}
         clusterTier={clusterTier}
         encryptionStatus={encryptionStatus}
+        isLkeClusterRestricted={isLkeClusterRestricted}
         nodes={nodes}
         openRecycleNodeDialog={openRecycleNodeDialog}
         poolId={poolId}

packages/manager/src/features/Kubernetes/KubernetesClusterDetail/NodePoolsDisplay/NodePoolsDisplay.test.tsx

@@ -13,6 +13,7 @@ const props: Props = {
   clusterLabel: 'a cluster',
   clusterRegionId: 'us-east',
   clusterTier: 'standard',
+  isLkeClusterRestricted: false,
   regionsData: [],
 };
 

packages/manager/src/features/Kubernetes/KubernetesClusterDetail/NodePoolsDisplay/NodePoolsDisplay.tsx

@@ -66,6 +66,7 @@ export interface Props {
   clusterLabel: string;
   clusterRegionId: string;
   clusterTier: KubernetesTier;
+  isLkeClusterRestricted: boolean;
   regionsData: Region[];
 }
 
@@ -76,6 +77,7 @@ export const NodePoolsDisplay = (props: Props) => {
     clusterLabel,
     clusterRegionId,
     clusterTier,
+    isLkeClusterRestricted,
     regionsData,
   } = props;
 
@@ -241,10 +243,12 @@ export const NodePoolsDisplay = (props: Props) => {
               <ActionMenu
                 actionsList={[
                   {
+                    disabled: isLkeClusterRestricted,
                     onClick: () => setIsRecycleClusterOpen(true),
                     title: 'Recycle All Nodes',
                   },
                   {
+                    disabled: isLkeClusterRestricted,
                     onClick: handleOpenAddDrawer,
                     title: 'Add a Node Pool',
                   },
@@ -256,11 +260,16 @@ export const NodePoolsDisplay = (props: Props) => {
           <Hidden mdDown>
             <Button
               buttonType="outlined"
+              disabled={isLkeClusterRestricted}
               onClick={() => setIsRecycleClusterOpen(true)}
             >
               Recycle All Nodes
             </Button>
-            <Button buttonType="primary" onClick={handleOpenAddDrawer}>
+            <Button
+              buttonType="primary"
+              disabled={isLkeClusterRestricted}
+              onClick={handleOpenAddDrawer}
+            >
               Add a Node Pool
             </Button>
           </Hidden>
@@ -294,6 +303,7 @@ export const NodePoolsDisplay = (props: Props) => {
               handleClickAutoscale={handleOpenAutoscaleDrawer}
               handleClickLabelsAndTaints={handleOpenLabelsAndTaintsDrawer}
               handleClickResize={handleOpenResizeDrawer}
+              isLkeClusterRestricted={isLkeClusterRestricted}
               isOnlyNodePool={pools?.length === 1}
               key={id}
               nodes={nodes ?? []}

packages/manager/src/features/Kubernetes/KubernetesClusterDetail/NodePoolsDisplay/NodeRow.tsx

@@ -26,6 +26,7 @@ export interface NodeRow {
 }
 
 interface NodeRowProps extends NodeRow {
+  isLkeClusterRestricted: boolean;
   linodeError?: APIError[];
   openRecycleNodeDialog: (nodeID: string, linodeLabel: string) => void;
   typeLabel: string;
@@ -36,6 +37,7 @@ export const NodeRow = React.memo((props: NodeRowProps) => {
     instanceId,
     instanceStatus,
     ip,
+    isLkeClusterRestricted,
     label,
     linodeError,
     nodeId,
@@ -136,6 +138,7 @@ export const NodeRow = React.memo((props: NodeRowProps) => {
       <TableCell>
         <NodeActionMenu
           instanceLabel={label}
+          isLkeClusterRestricted={isLkeClusterRestricted}
           nodeId={nodeId}
           openRecycleNodeDialog={openRecycleNodeDialog}
         />

packages/manager/src/features/Kubernetes/KubernetesClusterDetail/NodePoolsDisplay/NodeTable.test.tsx

@@ -31,6 +31,7 @@ const props: Props = {
   clusterId: 1,
   clusterTier: 'standard',
   encryptionStatus: 'enabled',
+  isLkeClusterRestricted: false,
   nodes: mockKubeNodes,
   openRecycleNodeDialog: vi.fn(),
   poolId: 1,

packages/manager/src/features/Kubernetes/KubernetesClusterDetail/NodePoolsDisplay/NodeTable.tsx

@@ -46,6 +46,7 @@ export interface Props {
   clusterId: number;
   clusterTier: KubernetesTier;
   encryptionStatus: EncryptionStatus | undefined;
+  isLkeClusterRestricted: boolean;
   nodes: PoolNodeResponse[];
   openRecycleNodeDialog: (nodeID: string, linodeLabel: string) => void;
   poolId: number;
@@ -65,6 +66,7 @@ export const NodeTable = React.memo((props: Props) => {
     encryptionStatus,
     nodes,
     openRecycleNodeDialog,
+    isLkeClusterRestricted,
     poolId,
     regionSupportsDiskEncryption,
     statusFilter,
@@ -240,6 +242,7 @@ export const NodeTable = React.memo((props: Props) => {
                         instanceId={eachRow.instanceId}
                         instanceStatus={eachRow.instanceStatus}
                         ip={eachRow.ip}
+                        isLkeClusterRestricted={isLkeClusterRestricted}
                         key={`node-row-${eachRow.nodeId}`}
                         label={eachRow.label}
                         linodeError={error ?? undefined}
@@ -290,7 +293,12 @@ export const NodeTable = React.memo((props: Props) => {
                 <Typography>Pool ID {poolId}</Typography>
               )}
             </StyledPoolInfoBox>
-            <TagCell tags={tags} updateTags={updateTags} view="inline" />
+            <TagCell
+              disabled={isLkeClusterRestricted}
+              tags={tags}
+              updateTags={updateTags}
+              view="inline"
+            />
           </StyledTableFooter>
         </>
       )}