[RFE] Add additional verbs updatepsa and manage-namespaces

[edwin-bruurs]

Is your feature request related to a problem? Please describe.

Currently it is not possible to create a custom roles giving a user the following permissions

rules {
  api_groups = ["management.cattle.io"]
  resources = ["projects"]
  verbs= ["manage-namespaces", "updatepsa"]
}

This is needed to give a user additional permissions to create a namespace in a project. See also the documentation on the Rancher webhook validation

Using the code above results in the error expected rules.0.verbs.0 to be one of [* create delete deletecollection get list patch update view watch own use bind escalate impersonate], got updateps and Error: expected rules.0.verbs.1 to be one of [* create delete deletecollection get list patch update view watch own use bind escalate impersonate], got manage-namespaces

Describe the solution you'd like

Add the verbs updatepsa and manage-namespaces to the allowed verbs list.

Describe alternatives you've considered

Using the * verb. But in many cases this will grant to much permissions over the resource (e.g. giving full permission over projects is not what you typically want).

Additional context

See also related issues on adding new verbs:

• rancher2_role_template - support view verb #332
• Add support for K8s api verb "deletecollection" #718
• Policy validator add specialized verbs #831

[edwin-bruurs]

I don't mind creating a MR if this feature is valuable.

[matttrach]

@edwin-bruurs what version of Rancher are you targeting with this change?

[matttrach]

I got an answer to this in another channel, this is targeting Rancher v2.10 and no backports are necessary.

[alegrey91]

updatepsa and manage-namespaces added to the list of available verbs.

[joesims22]

Validated on v2.10-head id 8b50f83 and tfp 6.0.0-rc1 successfully.