Skip to content

fix: update project-scoped permissions to include missing harvester r… #503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ihcsim merged 1 commit into from
Mar 27, 2026
Merged

fix: update project-scoped permissions to include missing harvester r… #503

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/harvester-rbac/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Harvester RBAC
catalog.cattle.io/kube-version: ">= 1.31.0-0"
catalog.cattle.io/rancher-version: ">= 2.13.0-0"
catalog.cattle.io/rancher-version: ">= 2.14.0-0 < 2.15.0-0"
catalog.cattle.io/release-name: harvester-rbac
catalog.cattle.io/ui-component: harvester-rbac

Expand Down
6 changes: 6 additions & 0 deletions charts/harvester-rbac/templates/virt-project-manage.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@ rules:
- "*"
verbs:
- "*"
- apiGroups:
- harvesterhci.io
resources:
- "*"
verbs:
- "*"
{{- with .Values.projectRole.virtProjectManage.additionalRules }}
{{- toYaml . | nindent 2 }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/harvester-rbac/templates/virt-project-view.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,20 @@ rules:
- get
- list
- watch
- apiGroups:
- harvesterhci.io
resources:
- "*"
verbs:
- get
- list
- watch
- apiGroups:
- harvesterhci.io
resources:
- supportbundles
verbs:
- "*"
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

virt-project-view is a view-only RoleTemplate, but this rule grants supportbundles full access (verbs: ["*"]). That’s a significant privilege escalation compared to the rest of the rules here (get/list/watch) and seems inconsistent with the role’s purpose. Consider restricting this to read-only verbs (or the minimal set actually required), or moving write verbs for supportbundles to the manage role only.

Suggested change
- "*"
- get
- list
- watch

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@ihcsim ihcsim Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This allows read-only project user to generate support bundle. However, project users will require permissions into the harvester-system namespace for the support bundle workload to run, which isn't granted by default.

Copy link
Copy Markdown
Member

@w13915984028 w13915984028 Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean: by default, the project-view can't successfully generate supportbundle even with this rbac?

As support-bundle includes too many system related infromation, maybe we could remove this from chart default value; if user wants to, we have a document guide about how to edit the chart Values.yaml below parts to grant this. User takes the risk.

  {{- with .Values.projectRole.virtProjectView.additionalRules }}

Copy link
Copy Markdown
Contributor Author

@ihcsim ihcsim Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean: by default, the project-view can't successfully generate supportbundle even with this rbac?

Correct. This change only grants permission to the supportbundles.harvesterhci.io API resource; nothing more. It is something that all cluster/project users need. We will follow this up with a backend issue to discuss how to approach this. The controller needs to identify the namespaces where the user has permissions to run the support bundle generators. Thanks.

Copy link
Copy Markdown
Contributor Author

@ihcsim ihcsim Mar 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

User takes the risk.
{{- with .Values.projectRole.virtProjectView.additionalRules }}

My thinking is that, until we have a backend enhancement, if admin wants to give project users ability to generate support bundle, they can grant these users additional permissions via other custom roles on an individual basis. Using {{- with .Values.projectRole.virtProjectView.additionalRules }} means all project users end up with these extra permissions, not just those who are approved. By including the supportbundles.harvesterhci.io rule in the built-in role, admin won't have to keep repeating them in their own custom roles.

{{- with .Values.projectRole.virtProjectView.additionalRules }}
{{- toYaml . | nindent 2 }}
{{- end }}
Loading