Continental Innovates with Rancher and Kubernetes
You can set roles to a status of locked. Locking roles prevent them from being assigned to users in the future.
Do not affect users assigned the role before you lock the role. These users retain access that the role provides.
Example: let’s say your organization creates an internal policy that users assigned to a cluster are prohibited from creating new projects. It’s your job to enforce this policy.
To enforce it, before you add new users to the cluster, you should lock the following roles: Cluster Owner, Cluster Member, and Create Projects. Then you could create a new custom role that includes the same permissions as a Cluster Member, except the ability to create projects. Then, you use this new custom role when adding users to a cluster.
Roles can be locked by the following users:
If you want to prevent a role from being assigned to users, you can set it to a status of locked.
You can lock roles in two contexts:
Cluster roles and project/namespace roles can be locked, but global roles cannot.