Illumina Innovates with Rancher and Kubernetes
This section describes the permissions required to use the rancher-cis-benchmark App.
The rancher-cis-benchmark is a cluster-admin only feature by default.
However, the rancher-cis-benchmark chart installs three default ClusterRoles:
In Rancher, only cluster owners and global administrators have cis-admin access by default.
Rancher CIS Scans is a cluster-admin only feature by default.
This means only the Rancher global admins, and the cluster’s cluster-owner can:
The rancher-cis-benchmark creates three ClusterRoles and adds the CIS Benchmark CRD access to the following default K8s ClusterRoles:
By default only cluster-owner role will have ability to manage and use rancher-cis-benchmark feature.
The other Rancher roles (cluster-member, project-owner, project-member) do not have default permissions to manage and use rancher-cis-benchmark resources.
But if a cluster-owner wants to delegate access to other users, they can do so by creating ClusterRoleBindings between these users and the CIS ClusterRoles manually.