Rancher’s API authentication isn’t just about logging in; it’s a multi-layered system designed to grant granular access to your cluster resources, often in ways that surprise people.
Let’s see it in action. Imagine you have a Rancher user, alice, who needs to deploy applications. You don’t want her to have full cluster admin rights, but she needs to create Deployments in a specific namespace, say dev-app.
First, alice needs an API key to authenticate. She can generate this from the Rancher UI under her user profile:
curl -k -u 'alice:<alice_api_key>' \
-X GET \
'https://<rancher_host>/v3/projects/<project_id>/namespaces/dev-app'
This command, using alice’s API key, attempts to fetch information about the dev-app namespace. If it succeeds, it means alice’s key is valid and she has some level of access.
Now, what kind of access does she have? This is where Role-Based Access Control (RBAC) comes in. Rancher uses Kubernetes RBAC, but it’s managed through Rancher’s project and global role system. alice might have been granted a "Project Member" role for the project containing dev-app. This role, by default, might not allow her to create Deployments.
To grant her the ability to create Deployments, you’d need to assign her a custom role or a built-in role that includes the deployments.management.cattle.io resource type with create and update verbs. You can do this via the Rancher UI or the API. Let’s say you create a role named AppDeployer with these permissions.
Then, you’d assign this AppDeployer role to alice within the dev-app namespace, or more commonly, to the project that contains dev-app. This assignment is represented as a RoleTemplateBinding in Rancher’s API.
The mental model for Rancher API authentication is this:
-
Authentication: This is the process of verifying your identity. For API access, this is primarily done using API keys. These keys are long, random strings that act like passwords. When you make an API request, you include your API key in the
Authorizationheader, typically asBasic <base64_encoded_username:api_key>. Rancher validates this key against its user database. -
Authorization: Once authenticated, Rancher determines what you are allowed to do. This is governed by RBAC. Rancher maps its own roles (like "Cluster Owner," "Project Member") and Kubernetes roles to specific permissions on resources.
- Global Roles: Apply to the entire Rancher instance.
- Cluster Roles: Apply to a specific Kubernetes cluster managed by Rancher.
- Project Roles: Apply to a specific project within a cluster. Projects are a Rancher abstraction that groups namespaces and provides a layer of management.
Permissions are defined as verbs (e.g.,
get,list,create,update,delete,watch) on resources (e.g.,pods,deployments,namespaces). Rancher’s system translates these into KubernetesClusterRoleandRoleobjects, and then binds them to users or groups viaClusterRoleBindingandRoleBinding(or Rancher’sRoleTemplateBinding).
The most surprising aspect for many is how Rancher’s project/global role system directly maps to and often wraps Kubernetes RBAC. You don’t typically manage Kubernetes Role and RoleBinding directly for users interacting with Rancher-managed clusters; you manage them through Rancher’s UI or API, and Rancher creates/updates the underlying Kubernetes objects. This means a user authenticated with an API key can perform actions that are ultimately authorized by Kubernetes RBAC, but the management interface is Rancher itself.
Crucially, when you create an API key in Rancher, it’s tied to the permissions of the user who generated it at that moment. If that user’s permissions are later reduced, existing API keys associated with them will reflect those reduced permissions. It’s not a snapshot; it’s a dynamic reflection of the user’s current authorization.
After successfully authenticating and authorizing alice to create deployments, her next challenge might be understanding how to manage secrets for those deployments using Rancher’s built-in secrets management or integrating with external secret stores.