VYPR
← All advisories
High severity7.2NVD Advisory· Published Oct 16, 2024· Updated Apr 15, 2026

CVE-2023-32194

CVE-2023-32194

Description

A vulnerability has been identified when granting a create or * global role for a resource type of "namespaces"; no matter the API group, the subject will receive * permissions for core namespaces. This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/rancher/rancherGo
>= 2.6.0, < 2.6.142.6.14
github.com/rancher/rancherGo
>= 2.7.0, < 2.7.102.7.10
github.com/rancher/rancherGo
>= 2.8.0, < 2.8.22.8.2

Patches

3
d4a0ff5e779e

[2.6] Fixes (#44357)

https://github.com/rancher/rancherPeter MatseykanetsFeb 6, 2024via ghsa
commit
264 files changed · +1650 1251
  • .drone.yml+0 398 modified
    @@ -1,101 +1,5 @@
 ---
 kind: pipeline
-name: provisioning-tests-k3s
-
-platform:
-  os: linux
-  arch: amd64
-
-steps:
-- name: provisioning-tests-pr
-  image: rancher/dapper:v0.5.8
-  commands:
-  - dapper provisioning-tests
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    event:
-    - pull_request
-- name: provisioning-tests-push
-  image: rancher/dapper:v0.5.8
-  commands:
-  - dapper provisioning-tests
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    instance:
-      - drone-publish.rancher.io
-    ref:
-      include:
-        - "refs/heads/master"
-        - "refs/heads/release/v*"
-        - "refs/tags/v*"
-    event:
-    - push
-
-volumes:
-- name: docker
-  host:
-    path: /var/run/docker.sock
-
-trigger:
-  event:
-    exclude:
-    - promote
----
-kind: pipeline
-name: provisioning-tests-rke
-
-platform:
-  os: linux
-  arch: amd64
-
-steps:
-- name: provisioning-tests-pr
-  image: rancher/dapper:v0.5.8
-  commands:
-  - dapper provisioning-tests-rke
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    event:
-    - pull_request
-- name: provisioning-tests-push
-  image: rancher/dapper:v0.5.8
-  commands:
-  - dapper provisioning-tests-rke
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    instance:
-      - drone-publish.rancher.io
-    ref:
-      include:
-        - "refs/heads/master"
-        - "refs/heads/release/v*"
-        - "refs/tags/v*"
-    event:
-    - push
-
-volumes:
-- name: docker
-  host:
-    path: /var/run/docker.sock
-
-trigger:
-  event:
-    exclude:
-    - promote
----
-kind: pipeline
 name: default-linux-amd64
 
 platform:
@@ -573,249 +477,6 @@ volumes:
   host:
     path: /var/run/docker.sock
 
-trigger:
-  event:
-    exclude:
-    - promote
----
-kind: pipeline
-name: default-linux-s390x
-
-platform:
-  os: linux
-  arch: amd64
-
-# Hack needed for s390x: https://gist.github.com/colstrom/c2f359f72658aaabb44150ac20b16d7c#gistcomment-3858388
-node:
-  arch: s390x
-
-clone:
-  disable: true
-
-steps:
-- name: clone
-  image: alpine/git:v2.30.2-s390x
-  commands:
-  - git clone $DRONE_GIT_HTTP_URL  .
-  - git fetch origin $DRONE_COMMIT_REF
-  - git checkout $DRONE_COMMIT -b origin/$DRONE_TARGET_BRANCH
-
-- name: build-pr
-  image: rancher/dapper:v0.5.8
-  failure: ignore
-  commands:
-  - dapper ci
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    event:
-    - pull_request
-
-- name: build-push-tag
-  image: rancher/dapper:v0.5.8
-  failure: ignore
-  commands:
-  - K3S_BUILDER=k3s_root dapper ci
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    instance:
-      - drone-publish.rancher.io
-    ref:
-      include:
-        - "refs/heads/master"
-        - "refs/heads/release/v*"
-        - "refs/tags/v*"
-    event:
-    - push
-    - tag
-
-- name: stage-binaries
-  image: rancher/dapper:v0.5.8
-  failure: ignore
-  commands:
-  - "cp -r ./bin/* ./package/"
-  when:
-    instance:
-      - drone-publish.rancher.io
-    ref:
-      include:
-        - "refs/heads/master"
-        - "refs/heads/release/v*"
-        - "refs/tags/v*"
-    event:
-    - push
-    - tag
-
-- name: docker-publish-head
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - VERSION=${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-head
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile
-    tag: ${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-linux-s390x
-    password:
-      from_secret: docker_password
-    repo: rancher/rancher
-    username:
-      from_secret: docker_username
-  when:
-    ref:
-      include:
-      - "refs/heads/master"
-      - "refs/heads/release/v*"
-    event:
-    - push
-
-- name: docker-publish-head-installer
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-    - name: docker
-      path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - VERSION=${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-head
-    - RANCHER_TAG=${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-linux-s390x
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile.installer
-    tag: ${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-linux-s390x
-    password:
-      from_secret: docker_password
-    repo: rancher/system-agent-installer-rancher
-    username:
-      from_secret: docker_username
-  when:
-    ref:
-      include:
-      - "refs/heads/master"
-      - "refs/heads/release/v*"
-    event:
-    - push
-
-- name: docker-publish-head-agent
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-    - name: docker
-      path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - VERSION=${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-head
-    - RANCHER_TAG=${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-linux-s390x
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile.agent
-    tag: ${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-linux-s390x
-    password:
-      from_secret: docker_password
-    repo: rancher/rancher-agent
-    username:
-      from_secret: docker_username
-  when:
-    ref:
-      include:
-      - "refs/heads/master"
-      - "refs/heads/release/v*"
-    event:
-    - push
-
-- name: docker-publish
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-    - name: docker
-      path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - "VERSION=${DRONE_TAG}"
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile
-    password:
-      from_secret: docker_password
-    repo: rancher/rancher
-    tag: "${DRONE_TAG}-linux-s390x"
-    username:
-      from_secret: docker_username
-  when:
-    event:
-    - tag
-
-- name: docker-publish-installer
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-    - name: docker
-      path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - "VERSION=${DRONE_TAG}"
-    - "RANCHER_TAG=${DRONE_TAG}-linux-s390x"
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile.installer
-    password:
-      from_secret: docker_password
-    repo: rancher/system-agent-installer-rancher
-    tag: "${DRONE_TAG}-linux-s390x"
-    username:
-      from_secret: docker_username
-  when:
-    event:
-    - tag
-
-- name: docker-publish-agent
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-    - name: docker
-      path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - "VERSION=${DRONE_TAG}"
-    - "RANCHER_TAG=${DRONE_TAG}-linux-s390x"
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile.agent
-    password:
-      from_secret: docker_password
-    repo: rancher/rancher-agent
-    tag: "${DRONE_TAG}-linux-s390x"
-    username:
-      from_secret: docker_username
-  when:
-    event:
-    - tag
-
-volumes:
-- name: docker
-  host:
-    path: /var/run/docker.sock
-
 trigger:
   event:
     exclude:
@@ -1251,7 +912,6 @@ trigger:
 depends_on:
 - default-linux-amd64
 - default-linux-arm64
-- default-linux-s390x
 - default-windows-1809
 - default-windows-ltsc2022
 ---
@@ -1341,64 +1001,6 @@ depends_on:
 - default-linux-arm64
 ---
 kind: pipeline
-name: docker-image-digests-linux-s390x
-
-platform:
-  os: linux
-  arch: amd64
-
-# Hack needed for s390x: https://gist.github.com/colstrom/c2f359f72658aaabb44150ac20b16d7c#gistcomment-3858388
-node:
-  arch: s390x
-
-clone:
-  disable: true
-
-steps:
-- name: clone
-  image: alpine/git:v2.30.2-s390x
-  commands:
-  - git clone $DRONE_GIT_HTTP_URL  .
-  - git fetch origin $DRONE_COMMIT_REF
-  - git checkout $DRONE_COMMIT -b origin/$DRONE_TARGET_BRANCH
-
-- name: docker-image-digests
-  image: rancher/drone-docker-image-digests:v0.0.13
-  failure: ignore
-  environment:
-    PLUGIN_GITHUB_REPOSITORY: "rancher/rancher"
-    PLUGIN_GITHUB_TOKEN:
-      from_secret: github_token
-    PLUGIN_GITHUB_TAG: "${DRONE_TAG}"
-    PLUGIN_INPUT_FILE: "rancher-images.txt"
-    PLUGIN_OUTPUT_FILE: "rancher-images-digests-linux-s390x.txt"
-    PLUGIN_REGISTRY: "docker.io"
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    instance:
-      include:
-      - drone-publish.rancher.io
-    event:
-    - tag
-
-volumes:
-- name: docker
-  host:
-    path: /var/run/docker.sock
-
-trigger:
-  event:
-    exclude:
-    - promote
-    - pull_request
-
-depends_on:
-- default-linux-amd64
-- default-linux-s390x
----
-kind: pipeline
 name: docker-image-digests-windows-1809
 
 platform:
  • .github/scripts/check-for-auto-generated-changes.sh+12 0 added
    @@ -0,0 +1,12 @@
+#!/bin/sh
+set -ue
+
+go generate ./...
+
+if [ -n "$(git status --porcelain)" ]; then
+    echo "Generated files have either been changed manually or were not updated."
+    echo
+    echo "The following generated files did differ after regeneration:"
+    git status --porcelain
+    exit 1
+fi
  • .github/scripts/check-for-go-mod-changes.sh+39 0 added
    @@ -0,0 +1,39 @@
+#!/bin/sh
+set -ue
+
+for DIRECTORY in . ./pkg/apis ./pkg/client; do
+    cd "$DIRECTORY"
+    go mod tidy
+    go mod verify
+    cd "$OLDPWD"
+done
+
+if [ -n "$(git status --porcelain)" ]; then
+    echo "go.mod is not up to date. Please 'run go mod tidy' and commit the changes."
+    echo
+    echo "The following go files did differ after tidying them:"
+    git status --porcelain
+    exit 1
+fi
+
+# Check diff between ./go.mod and ./pkg/apis/go.mod
+badmodule="false"
+while read -r module tag; do
+  # Get tag from module in ./go.mod
+  roottag=$(sed '1,/^require/d' go.mod | grep "${module} " | awk '{ print $2 }')
+  echo "${module}:"
+  echo "${tag} (./pkg/apis/go.mod)"
+  echo "${roottag} (./go.mod)"
+  # Compare with tag from module in ./pkg/apis/go.mod
+  if [ "${tag}" != "${roottag}" ]; then
+    echo "${module} is different ('${tag}' vs '${roottag}')"
+    badmodule="true"
+  fi
+done << EOF
+$(sed '1,/require/d' pkg/apis/go.mod | head -n -1 | grep -v indirect | grep rancher |  awk '{ print $1,$2 }')
+EOF
+
+if [ "${badmodule}" = "true" ]; then
+  echo "Diff found between ./go.mod and ./pkg/apis/go.mod"
+  exit 1
+fi
  • .github/workflows/verify-generated-code-changes.yml+46 0 added
    @@ -0,0 +1,46 @@
+name: Verify generated code changes
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+    - 'release/*'
+
+env:
+  MAIN_BRANCH: origin/master
+  GOARCH: amd64
+  CGO_ENABLED: 0
+  SETUP_GO_VERSION: '1.19.*'
+
+jobs:
+  check-changes:
+    runs-on: ubuntu-latest
+
+    steps:
+      -
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      -
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.SETUP_GO_VERSION }}
+      -
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      -
+        name: Verify go.mod status
+        run: ./.github/scripts/check-for-go-mod-changes.sh
+      -
+        name: Install controller-gen
+        run: go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.12.0
+      -
+        name: Verify auto-generated changes
+        run: ./.github/scripts/check-for-auto-generated-changes.sh
  • go.mod+12 12 modified
    @@ -9,7 +9,7 @@ replace (
 	github.com/knative/pkg => github.com/rancher/pkg v0.0.0-20190514055449-b30ab9de040e
 	github.com/matryer/moq => github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77
 
-	github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.2
+	github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.12
 	github.com/rancher/rancher/pkg/apis => ./pkg/apis
 	github.com/rancher/rancher/pkg/client => ./pkg/client
 
@@ -103,7 +103,7 @@ require (
 	github.com/prometheus/client_model v0.2.0
 	github.com/prometheus/common v0.32.1
 	github.com/rancher/aks-operator v1.0.9
-	github.com/rancher/apiserver v0.0.0-20230502191800-c17b7df705a5
+	github.com/rancher/apiserver v0.0.0-20240205164636-4df268e250f6
 	github.com/rancher/channelserver v0.5.1-0.20220405170618-28c9b37deff1
 	github.com/rancher/dynamiclistener v0.3.5
 	github.com/rancher/eks-operator v1.1.5
@@ -113,12 +113,12 @@ require (
 	github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc
 	github.com/rancher/lasso/controller-runtime v0.0.0-20220627205005-00d9c8e9dda6
 	github.com/rancher/machine v0.15.0-rancher96
-	github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a
+	github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b
 	github.com/rancher/rancher/pkg/apis v0.0.0
 	github.com/rancher/rancher/pkg/client v0.0.0
 	github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a
 	github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8
-	github.com/rancher/rke v1.3.20
+	github.com/rancher/rke v1.3.24
 	github.com/rancher/security-scan v0.1.7-0.20200222041501-f7377f127168
 	github.com/rancher/steve v0.0.0-20230224165120-1a36a52a25b7
 	github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007
@@ -136,12 +136,12 @@ require (
 	github.com/vmware/kube-fluentd-operator v0.0.0-20190307154903-bf9de7e79eaf
 	github.com/xanzy/go-gitlab v0.0.0-20180830102804-feb856f4760f
 	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
-	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
-	golang.org/x/net v0.0.0-20221004154528-8021a29435af
+	golang.org/x/mod v0.8.0
+	golang.org/x/net v0.8.0
 	golang.org/x/oauth2 v0.0.0-20220628200809-02e64fa58f26
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
-	golang.org/x/text v0.3.8 // indirect
-	golang.org/x/tools v0.1.12 // indirect
+	golang.org/x/sync v0.1.0
+	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 	google.golang.org/api v0.81.0
 	google.golang.org/grpc v1.48.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
@@ -208,7 +208,7 @@ require (
 	github.com/coredns/corefile-migration v1.0.17 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/dimchansky/utfbom v1.1.0 // indirect
 	github.com/docker/cli v20.10.17+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.6.4 // indirect
@@ -353,8 +353,8 @@ require (
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.19.1 // indirect
-	golang.org/x/sys v0.0.0-20221010170243-090e33056c14 // indirect
-	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/term v0.6.0 // indirect
 	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
  • go.sum+33 22 modified
    @@ -437,8 +437,8 @@ github.com/creasty/defaults v1.5.2/go.mod h1:FPZ+Y0WNrbqOVw+c6av63eyHUAl6pMHZwqL
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
 github.com/crewjam/saml v0.4.10 h1:Rjs6x4s/aQFXiaPjw3uhB4VdxRqoxHXOJrrj4BsMn9o=
 github.com/crewjam/saml v0.4.10/go.mod h1:9Zh6dWPtB3MSzTRt8fIFH60Z351QQ+s7hCU3J/tTlA4=
-github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
-github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=
 github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s=
 github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=
@@ -1206,6 +1206,7 @@ github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1:
 github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c h1:3wkDRdxK92dF+c1ke2dtj7ZzemFWBHB9plnJOtlwdFA=
 github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c/go.mod h1:skjdDftzkFALcuGzYSklqYd8gvat6F1gZJ4YPVbkZpM=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
+github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
@@ -1270,8 +1271,8 @@ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 h1:+czc/J8SlhPKLOtVLMQc+xDCFBT73ZStMsRhSsUhsSg=
 github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198/go.mod h1:j4h1pJW6ZcJTgMZWP3+7RlG3zTaP02aDZ/Qw0sppK7Q=
-github.com/opencontainers/runc v1.1.2 h1:2VSZwLx5k/BfsBxMMipG/LYUnmqOD/BPkIVgQUcTlLw=
-github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
+github.com/opencontainers/runc v1.1.12 h1:BOIssBaW1La0/qbNZHXOOa71dZfZEQOzW7dqQf3phss=
+github.com/opencontainers/runc v1.1.12/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
@@ -1390,8 +1391,8 @@ github.com/quobyte/api v0.1.8/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H
 github.com/rancher/aks-operator v1.0.9 h1:RXBce90HqgYpSlGMiIRMviN4qOvfYcKA8BnBG3X8gzM=
 github.com/rancher/aks-operator v1.0.9/go.mod h1:qK59c7DFxpYn14sXHbbPkNl7zUNyuN0qkFUUHXsQ0jA=
 github.com/rancher/apiserver v0.0.0-20201023000256-1a0a904f9197/go.mod h1:8W0EwaR9dH5NDFw6mpAX437D0q+EZqKWbZyX71+z2WI=
-github.com/rancher/apiserver v0.0.0-20230502191800-c17b7df705a5 h1:n+hEi53DqCPD+RnjH/uGuz3ER2sx7DzGQWt/n7q1jYs=
-github.com/rancher/apiserver v0.0.0-20230502191800-c17b7df705a5/go.mod h1:Ff9wwzgKLCg30LjywsK1Tswvn+5ELvQZ6GXmutPA6po=
+github.com/rancher/apiserver v0.0.0-20240205164636-4df268e250f6 h1:XmTVxa8K29C/uYdTKZ+OE3K1FkpdOTEEZZdh6nE1WS0=
+github.com/rancher/apiserver v0.0.0-20240205164636-4df268e250f6/go.mod h1:Ff9wwzgKLCg30LjywsK1Tswvn+5ELvQZ6GXmutPA6po=
 github.com/rancher/aws-iam-authenticator v0.5.9-0.20220713170329-78acb8c83863 h1:7cVEMgwyiVhLyu/Ywuw58mkkh9cWpFE3+X8IrWncBxU=
 github.com/rancher/aws-iam-authenticator v0.5.9-0.20220713170329-78acb8c83863/go.mod h1:6dId2LCc8oHqeBzP6E8ndp4DflhKTxYLb5ZXwI4YmFA=
 github.com/rancher/channelserver v0.5.1-0.20220405170618-28c9b37deff1 h1:NMYQzCtLEEaJZ2xleLzDixN6Y+yO9ShzgsjHDg4zOrk=
@@ -1423,16 +1424,16 @@ github.com/rancher/machine v0.15.0-rancher96 h1:aDrERdpxpFf2R5CqOlQHCD2JecZC5Mg7
 github.com/rancher/machine v0.15.0-rancher96/go.mod h1:rwF2JgIwaIqHthd9ByUQAZohCROaUP807Zsx1DLKo84=
 github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77 h1:k+vzmkZQsH06rZnDr+phskSixG9ByNj9gVdzHcc8nxw=
 github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77/go.mod h1:wpITyDPTi/Na5h73XkbuEf2AP9fbgrIGqqxVzFhYD6U=
-github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a h1:sAnJ58als7qhLCzsIUjvawoHgojPOazxFi7xMi6r/d4=
-github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk=
+github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b h1:DEDBVlylKTCC6KPl3BnPqsw3+aVygmcYwpJv3AJnOo0=
+github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk=
 github.com/rancher/pkg v0.0.0-20190514055449-b30ab9de040e h1:j6+HqCET/NLPBtew2m5apL7jWw/PStQ7iGwXjgAqdvo=
 github.com/rancher/pkg v0.0.0-20190514055449-b30ab9de040e/go.mod h1:XbYHTPaXuw8ZY9bylhYKQh/nJxDaTKk3YhAxPl4Qy/k=
 github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a h1:6xqYlVz4uAXBa/AuNAG0bhMusIXVh74dc1bbYOAe+HY=
 github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a/go.mod h1:YW8wJ/coee2n9ed937uPBWQArBaVlxs+5wkkS9KiyDc=
 github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8 h1:leqh0chjBsXhKWebxxFd5QPcoQLu51EpaHo04ce0o+8=
 github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8/go.mod h1:BwwztuvViX2JrLLUwDlsYt5DiyUwHLlzynRwkZLAY0Q=
-github.com/rancher/rke v1.3.20 h1:t/rgErjPEnmByUPKNuMsz9EF7OjY3SBt5eD8J4pZnDI=
-github.com/rancher/rke v1.3.20/go.mod h1:FYb66B2+kAJVQ80SFEr56mC9yjm7TrviK2miZG+c5qY=
+github.com/rancher/rke v1.3.24 h1:UgMSUyhHAPjAsOFb9AkUtP5PgnbaBK5W4bKtT7w0+D8=
+github.com/rancher/rke v1.3.24/go.mod h1:FYb66B2+kAJVQ80SFEr56mC9yjm7TrviK2miZG+c5qY=
 github.com/rancher/security-scan v0.1.7-0.20200222041501-f7377f127168 h1:SIshhsz0O71FYyyDmjUmbFGvmgp4ASm8J1zmhMK/UG0=
 github.com/rancher/security-scan v0.1.7-0.20200222041501-f7377f127168/go.mod h1:WlLAocVyVQs5J8r0IiQXsp0ajVZO6hYi/Vo6zxjo73s=
 github.com/rancher/steve v0.0.0-20230224165120-1a36a52a25b7 h1:5SqYbU1q88Cpo2LUabdy0jM8oXwt3svwhVdHOSETPsY=
@@ -1487,7 +1488,7 @@ github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102 h1:WAQaHPfnpevd8S
 github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
+github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc=
 github.com/segmentio/kafka-go v0.0.0-20190411192201-218fd49cff39 h1:k9ngiuh0VU21Xjy9f/wVsRFsX8l0uxGH1ZOLNpjTt5U=
 github.com/segmentio/kafka-go v0.0.0-20190411192201-218fd49cff39/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo=
@@ -1682,6 +1683,7 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yvasiyarov/go-metrics v0.0.0-20150112132944-c25f46c4b940 h1:p7OofyZ509h8DmPLh8Hn+EIIZm/xYhdZHJ9GnXHdr6U=
 github.com/yvasiyarov/go-metrics v0.0.0-20150112132944-c25f46c4b940/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs=
 github.com/yvasiyarov/gorelic v0.0.7 h1:4DTF1WOM2ZZS/xMOkTFBOcb6XiHu/PKn3rVo6dbewQE=
@@ -1865,8 +1867,9 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180112015858-5ccada7d0a7b/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1941,8 +1944,10 @@ golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220708220712-1185a9018129/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20221004154528-8021a29435af h1:wv66FM3rLZGPdxpYL+ApnDe2HzHcTFta3z5nsc13wI4=
-golang.org/x/net v0.0.0-20221004154528-8021a29435af/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1979,8 +1984,9 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220513210516-0976fa681c29/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180117170059-2c42eef0765b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -2111,14 +2117,17 @@ golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20221010170243-090e33056c14 h1:k5II8e6QD8mITdi+okbbmR/cIyEbeXLBhy5Ha4nevyc=
-golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 h1:CBpWXWQpIRjzmkkA+M7q9Fqnwd2mZr3AFqexg8YTfoM=
-golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20171227012246-e19ae1496984/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -2129,8 +2138,9 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -2256,8 +2266,9 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
-golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
  • package/Dockerfile+2 2 modified
    @@ -1,6 +1,6 @@
 FROM registry.suse.com/bci/bci-base:15.4
 
-RUN zypper -n install git-core curl ca-certificates unzip xz gzip sed tar shadow gawk vim netcat-openbsd mkisofs && \
+RUN zypper -n install git-core curl ca-certificates unzip xz gzip sed tar shadow gawk vim netcat-openbsd mkisofs openssh-clients && \
     zypper -n clean -a && rm -rf /tmp/* /var/tmp/* /usr/share/doc/packages/* && \
     useradd rancher && \
     mkdir -p /var/lib/rancher /var/lib/cattle /opt/jail /opt/drivers/management-state/bin && \
@@ -167,7 +167,7 @@ ENV CATTLE_DASHBOARD_UI_VERSION v2.6.13
 ENV CATTLE_CLI_VERSION v2.6.11
 
 # Please update the api-ui-version in pkg/settings/settings.go when updating the version here.
-ENV CATTLE_API_UI_VERSION 1.1.10
+ENV CATTLE_API_UI_VERSION 1.1.11
 
 RUN mkdir -p /var/log/auditlog
 ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log
  • pkg/apis/catalog.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/catalog.cattle.io/v1/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/catalog.cattle.io/v1/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/catalog.cattle.io/v1/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/catalog.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/cluster.cattle.io/v3/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/cluster.cattle.io/v3/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/cluster.cattle.io/v3/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/cluster.cattle.io/v3/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/cluster.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/go.mod+2 2 modified
    @@ -10,8 +10,8 @@ require (
 	github.com/rancher/eks-operator v1.1.5
 	github.com/rancher/fleet/pkg/apis v0.0.0-20230116113701-fc276f5505be
 	github.com/rancher/gke-operator v1.1.4
-	github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a
-	github.com/rancher/rke v1.3.20
+	github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b
+	github.com/rancher/rke v1.3.24
 	github.com/rancher/wrangler v1.0.1-0.20230208234005-a59a11cc3ef5
 	github.com/sirupsen/logrus v1.8.1
 	k8s.io/api v0.25.4
  • pkg/apis/go.sum+4 4 modified
    @@ -598,10 +598,10 @@ github.com/rancher/lasso v0.0.0-20210616224652-fc3ebd901c08/go.mod h1:9qZd/S8DqW
 github.com/rancher/lasso v0.0.0-20220519004610-700f167d8324/go.mod h1:T6WoUopOHBWTGjnphruTJAgoZ+dpm6llvn6GDYaa7Kw=
 github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc h1:29VHrInLV4qSevvcvhBj5UhQWkPShxrxv4AahYg2Scw=
 github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc/go.mod h1:dEfC9eFQigj95lv/JQ8K5e7+qQCacWs1aIA6nLxKzT8=
-github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a h1:sAnJ58als7qhLCzsIUjvawoHgojPOazxFi7xMi6r/d4=
-github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk=
-github.com/rancher/rke v1.3.20 h1:t/rgErjPEnmByUPKNuMsz9EF7OjY3SBt5eD8J4pZnDI=
-github.com/rancher/rke v1.3.20/go.mod h1:FYb66B2+kAJVQ80SFEr56mC9yjm7TrviK2miZG+c5qY=
+github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b h1:DEDBVlylKTCC6KPl3BnPqsw3+aVygmcYwpJv3AJnOo0=
+github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk=
+github.com/rancher/rke v1.3.24 h1:UgMSUyhHAPjAsOFb9AkUtP5PgnbaBK5W4bKtT7w0+D8=
+github.com/rancher/rke v1.3.24/go.mod h1:FYb66B2+kAJVQ80SFEr56mC9yjm7TrviK2miZG+c5qY=
 github.com/rancher/wrangler v0.6.2-0.20200427172034-da9b142ae061/go.mod h1:n5Du/gGD7WoiqnEo0SHnPirDIp1V9Zu+6guc8lXS2dk=
 github.com/rancher/wrangler v0.6.2-0.20200820173016-2068de651106/go.mod h1:iKqQcYs4YSDjsme52OZtQU4jHPmLlIiM93aj2c8c/W8=
 github.com/rancher/wrangler v0.8.10/go.mod h1:Lte9WjPtGYxYacIWeiS9qawvu2R4NujFU9xuXWJvc/0=
  • pkg/apis/management.cattle.io/v3/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/management.cattle.io/v3/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/management.cattle.io/v3/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/management.cattle.io/v3/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/management.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/project.cattle.io/v3/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/project.cattle.io/v3/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/project.cattle.io/v3/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/project.cattle.io/v3/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/project.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/provisioning.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/provisioning.cattle.io/v1/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/provisioning.cattle.io/v1/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/provisioning.cattle.io/v1/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/provisioning.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/rke.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/rke.cattle.io/v1/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/rke.cattle.io/v1/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/rke.cattle.io/v1/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/rke.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/ui.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/ui.cattle.io/v1/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/ui.cattle.io/v1/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/ui.cattle.io/v1/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/ui.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/auth/audit/audit.go+5 3 modified
    @@ -20,6 +20,7 @@ import (
 	"github.com/sirupsen/logrus"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/utils/strings/slices"
 )
 
 const (
@@ -50,8 +51,9 @@ var (
 		http.MethodPut:  true,
 		http.MethodPost: true,
 	}
-	sensitiveRequestHeader  = []string{"Cookie", "Authorization", "X-Api-Tunnel-Params", "X-Api-Tunnel-Token"}
-	sensitiveResponseHeader = []string{"Cookie", "Set-Cookie"}
+	sensitiveRequestHeader  = []string{"Cookie", "Authorization", "X-Api-Tunnel-Params", "X-Api-Tunnel-Token", "X-Api-Auth-Header", "X-Amz-Security-Token"}
+	sensitiveResponseHeader = []string{"Cookie", "Set-Cookie", "X-Api-Set-Cookie-Header"}
+	sensitiveBodyFields     = []string{"credentials", "applicationSecret", "oauthCredential", "serviceAccountCredential", "spKey", "spCert", "certificate", "privateKey"}
 	// ErrUnsupportedEncoding is returned when the response encoding is unsupported
 	ErrUnsupportedEncoding = fmt.Errorf("unsupported encoding")
 	secretBaseType         = regexp.MustCompile(".\"baseType\":\"([A-Za-z]*[S|s]ecret)\".")
@@ -394,7 +396,7 @@ func (a *auditLog) redactMap(m map[string]interface{}) bool {
 	for key := range m {
 		switch val := m[key].(type) {
 		case string:
-			if a.keysToRedactRegex.MatchString(key) {
+			if a.keysToRedactRegex.MatchString(key) || slices.Contains(sensitiveBodyFields, key) {
 				changed = true
 				m[key] = redacted
 			}
  • pkg/auth/audit/audit_test.go+22 0 modified
    @@ -199,6 +199,11 @@ func (a *AuditTest) TestRedactSensitiveData() {
 			want:  []byte(fmt.Sprintf(`{"kubeConfig":"%s","namespace":"testns","secretName":"secret-name"}`, redacted)),
 			uri:   `asdf`,
 		},
+		{
+			name:  "With items from sensitiveBodyFields",
+			input: []byte(`{"credentials": "{'fakeCredName': 'fakeCred'}", "applicationSecret": "fakeAppSecret", "oauthCredential": "fakeOauth", "serviceAccountCredential": "fakeSACred", "spKey": "fakeSPKey", "spCert": "fakeSPCERT", "certificate": "fakeCert", "privateKey": "fakeKey"}`),
+			want:  []byte(fmt.Sprintf(`{"credentials": "%s", "applicationSecret": "%[1]s", "oauthCredential": "%[1]s", "serviceAccountCredential": "%[1]s", "spKey": "%[1]s", "spCert": "%[1]s", "certificate": "%[1]s", "privateKey": "%[1]s"}`, redacted)),
+		},
 	}
 	for i := range tests {
 		test := tests[i]
@@ -437,6 +442,18 @@ func (a *AuditTest) TestFilterSensitiveHeader() {
 			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
 			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
 		},
+		{
+			name:               "sensitive request header: \"X-Api-Auth-Header\"",
+			reqHeader:          http.Header{"X-Api-Auth-Header": []string{"abcd"}},
+			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+		},
+		{
+			name:               "sensitive request header: \"X-Amz-Security-Token\"",
+			reqHeader:          http.Header{"X-Amz-Security-Token": []string{"abcd"}},
+			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+		},
 		{
 			name:               "non-sensitive request header and sensitive request header: \"Cookie\"",
 			reqHeader:          http.Header{"Cookie": []string{"abcd"}, "User-Agent": []string{"useragent1"}},
@@ -454,6 +471,11 @@ func (a *AuditTest) TestFilterSensitiveHeader() {
 			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}, "Set-Cookie": []string{"abcd"}},
 			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
 		},
+		{
+			name:               "sensitive response header: \"X-Api-Set-Cookie-Header\"",
+			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}, "X-Api-Set-Cookie-Header": []string{"abcd"}},
+			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+		},
 	}
 	writer.Level = LevelMetadata
 	for i := range tests {
  • pkg/client/generated/management/v3/zz_generated_aci_network_provider.go+209 165 modified
    @@ -1,172 +1,216 @@
 package client
 
 const (
-	AciNetworkProviderType                                   = "aciNetworkProvider"
-	AciNetworkProviderFieldAEP                               = "aep"
-	AciNetworkProviderFieldAddExternalSubnetsToRdconfig      = "addExternalSubnetsToRdconfig"
-	AciNetworkProviderFieldApicHosts                         = "apicHosts"
-	AciNetworkProviderFieldApicRefreshTickerAdjust           = "apicRefreshTickerAdjust"
-	AciNetworkProviderFieldApicRefreshTime                   = "apicRefreshTime"
-	AciNetworkProviderFieldApicSubscriptionDelay             = "apicSubscriptionDelay"
-	AciNetworkProviderFieldApicUserCrt                       = "apicUserCrt"
-	AciNetworkProviderFieldApicUserKey                       = "apicUserKey"
-	AciNetworkProviderFieldApicUserName                      = "apicUserName"
-	AciNetworkProviderFieldCApic                             = "capic"
-	AciNetworkProviderFieldControllerLogLevel                = "controllerLogLevel"
-	AciNetworkProviderFieldDisablePeriodicSnatGlobalInfoSync = "disablePeriodicSnatGlobalInfoSync"
-	AciNetworkProviderFieldDisableWaitForNetwork             = "disableWaitForNetwork"
-	AciNetworkProviderFieldDropLogEnable                     = "dropLogEnable"
-	AciNetworkProviderFieldDurationWaitForNetwork            = "durationWaitForNetwork"
-	AciNetworkProviderFieldDynamicExternalSubnet             = "externDynamic"
-	AciNetworkProviderFieldEnableEndpointSlice               = "enableEndpointSlice"
-	AciNetworkProviderFieldEncapType                         = "encapType"
-	AciNetworkProviderFieldEpRegistry                        = "epRegistry"
-	AciNetworkProviderFieldGbpPodSubnet                      = "gbpPodSubnet"
-	AciNetworkProviderFieldHostAgentLogLevel                 = "hostAgentLogLevel"
-	AciNetworkProviderFieldHppOptimization                   = "hppOptimization"
-	AciNetworkProviderFieldImagePullPolicy                   = "imagePullPolicy"
-	AciNetworkProviderFieldImagePullSecret                   = "imagePullSecret"
-	AciNetworkProviderFieldInfraVlan                         = "infraVlan"
-	AciNetworkProviderFieldInstallIstio                      = "installIstio"
-	AciNetworkProviderFieldIstioProfile                      = "istioProfile"
-	AciNetworkProviderFieldKafkaBrokers                      = "kafkaBrokers"
-	AciNetworkProviderFieldKafkaClientCrt                    = "kafkaClientCrt"
-	AciNetworkProviderFieldKafkaClientKey                    = "kafkaClientKey"
-	AciNetworkProviderFieldKubeAPIVlan                       = "kubeApiVlan"
-	AciNetworkProviderFieldL3Out                             = "l3out"
-	AciNetworkProviderFieldL3OutExternalNetworks             = "l3outExternalNetworks"
-	AciNetworkProviderFieldMTUHeadRoom                       = "mtuHeadRoom"
-	AciNetworkProviderFieldMaxNodesSvcGraph                  = "maxNodesSvcGraph"
-	AciNetworkProviderFieldMcastRangeEnd                     = "mcastRangeEnd"
-	AciNetworkProviderFieldMcastRangeStart                   = "mcastRangeStart"
-	AciNetworkProviderFieldMultusDisable                     = "multusDisable"
-	AciNetworkProviderFieldNoPriorityClass                   = "noPriorityClass"
-	AciNetworkProviderFieldNoWaitForServiceEpReadiness       = "noWaitForServiceEpReadiness"
-	AciNetworkProviderFieldNodePodIfEnable                   = "nodePodIfEnable"
-	AciNetworkProviderFieldNodeSubnet                        = "nodeSubnet"
-	AciNetworkProviderFieldOVSMemoryLimit                    = "ovsMemoryLimit"
-	AciNetworkProviderFieldOpflexAgentLogLevel               = "opflexLogLevel"
-	AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled = "opflexAgentOpflexAsyncjsonEnabled"
-	AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled    = "opflexAgentOvsAsyncjsonEnabled"
-	AciNetworkProviderFieldOpflexClientSSL                   = "opflexClientSsl"
-	AciNetworkProviderFieldOpflexDeviceDeleteTimeout         = "opflexDeviceDeleteTimeout"
-	AciNetworkProviderFieldOpflexMode                        = "opflexMode"
-	AciNetworkProviderFieldOpflexServerPort                  = "opflexServerPort"
-	AciNetworkProviderFieldOverlayVRFName                    = "overlayVrfName"
-	AciNetworkProviderFieldPBRTrackingNonSnat                = "pbrTrackingNonSnat"
-	AciNetworkProviderFieldPodSubnetChunkSize                = "podSubnetChunkSize"
-	AciNetworkProviderFieldRunGbpContainer                   = "runGbpContainer"
-	AciNetworkProviderFieldRunOpflexServerContainer          = "runOpflexServerContainer"
-	AciNetworkProviderFieldServiceGraphEndpointAddDelay      = "serviceGraphEndpointAddDelay"
-	AciNetworkProviderFieldServiceGraphEndpointAddServices   = "serviceGraphEndpointAddServices"
-	AciNetworkProviderFieldServiceGraphSubnet                = "nodeSvcSubnet"
-	AciNetworkProviderFieldServiceMonitorInterval            = "serviceMonitorInterval"
-	AciNetworkProviderFieldServiceVlan                       = "serviceVlan"
-	AciNetworkProviderFieldSleepTimeSnatGlobalInfoSync       = "sleepTimeSnatGlobalInfoSync"
-	AciNetworkProviderFieldSnatContractScope                 = "snatContractScope"
-	AciNetworkProviderFieldSnatNamespace                     = "snatNamespace"
-	AciNetworkProviderFieldSnatPortRangeEnd                  = "snatPortRangeEnd"
-	AciNetworkProviderFieldSnatPortRangeStart                = "snatPortRangeStart"
-	AciNetworkProviderFieldSnatPortsPerNode                  = "snatPortsPerNode"
-	AciNetworkProviderFieldSriovEnable                       = "sriovEnable"
-	AciNetworkProviderFieldStaticExternalSubnet              = "externStatic"
-	AciNetworkProviderFieldSubnetDomainName                  = "subnetDomainName"
-	AciNetworkProviderFieldSystemIdentifier                  = "systemId"
-	AciNetworkProviderFieldTenant                            = "tenant"
-	AciNetworkProviderFieldToken                             = "token"
-	AciNetworkProviderFieldUseAciAnywhereCRD                 = "useAciAnywhereCrd"
-	AciNetworkProviderFieldUseAciCniPriorityClass            = "useAciCniPriorityClass"
-	AciNetworkProviderFieldUseClusterRole                    = "useClusterRole"
-	AciNetworkProviderFieldUseHostNetnsVolume                = "useHostNetnsVolume"
-	AciNetworkProviderFieldUseOpflexServerVolume             = "useOpflexServerVolume"
-	AciNetworkProviderFieldUsePrivilegedContainer            = "usePrivilegedContainer"
-	AciNetworkProviderFieldVRFName                           = "vrfName"
-	AciNetworkProviderFieldVRFTenant                         = "vrfTenant"
-	AciNetworkProviderFieldVmmController                     = "vmmController"
-	AciNetworkProviderFieldVmmDomain                         = "vmmDomain"
+	AciNetworkProviderType                                      = "aciNetworkProvider"
+	AciNetworkProviderFieldAEP                                  = "aep"
+	AciNetworkProviderFieldAccProvisionOperatorMemoryLimit      = "accProvisionOperatorMemoryLimit"
+	AciNetworkProviderFieldAccProvisionOperatorMemoryRequest    = "accProvisionOperatorMemoryRequest"
+	AciNetworkProviderFieldAciContainersControllerMemoryLimit   = "aciContainersControllerMemoryLimit"
+	AciNetworkProviderFieldAciContainersControllerMemoryRequest = "aciContainersControllerMemoryRequest"
+	AciNetworkProviderFieldAciContainersHostMemoryLimit         = "aciContainersHostMemoryLimit"
+	AciNetworkProviderFieldAciContainersHostMemoryRequest       = "aciContainersHostMemoryRequest"
+	AciNetworkProviderFieldAciContainersMemoryLimit             = "aciContainersMemoryLimit"
+	AciNetworkProviderFieldAciContainersMemoryRequest           = "aciContainersMemoryRequest"
+	AciNetworkProviderFieldAciContainersOperatorMemoryLimit     = "aciContainersOperatorMemoryLimit"
+	AciNetworkProviderFieldAciContainersOperatorMemoryRequest   = "aciContainersOperatorMemoryRequest"
+	AciNetworkProviderFieldAciMultipod                          = "aciMultipod"
+	AciNetworkProviderFieldAciMultipodUbuntu                    = "aciMultipodUbuntu"
+	AciNetworkProviderFieldAddExternalSubnetsToRdconfig         = "addExternalSubnetsToRdconfig"
+	AciNetworkProviderFieldApicHosts                            = "apicHosts"
+	AciNetworkProviderFieldApicRefreshTickerAdjust              = "apicRefreshTickerAdjust"
+	AciNetworkProviderFieldApicRefreshTime                      = "apicRefreshTime"
+	AciNetworkProviderFieldApicSubscriptionDelay                = "apicSubscriptionDelay"
+	AciNetworkProviderFieldApicUserCrt                          = "apicUserCrt"
+	AciNetworkProviderFieldApicUserKey                          = "apicUserKey"
+	AciNetworkProviderFieldApicUserName                         = "apicUserName"
+	AciNetworkProviderFieldCApic                                = "capic"
+	AciNetworkProviderFieldControllerLogLevel                   = "controllerLogLevel"
+	AciNetworkProviderFieldDhcpDelay                            = "dhcpDelay"
+	AciNetworkProviderFieldDhcpRenewMaxRetryCount               = "dhcpRenewMaxRetryCount"
+	AciNetworkProviderFieldDisablePeriodicSnatGlobalInfoSync    = "disablePeriodicSnatGlobalInfoSync"
+	AciNetworkProviderFieldDisableWaitForNetwork                = "disableWaitForNetwork"
+	AciNetworkProviderFieldDropLogEnable                        = "dropLogEnable"
+	AciNetworkProviderFieldDurationWaitForNetwork               = "durationWaitForNetwork"
+	AciNetworkProviderFieldDynamicExternalSubnet                = "externDynamic"
+	AciNetworkProviderFieldEnableEndpointSlice                  = "enableEndpointSlice"
+	AciNetworkProviderFieldEncapType                            = "encapType"
+	AciNetworkProviderFieldEpRegistry                           = "epRegistry"
+	AciNetworkProviderFieldGbpPodSubnet                         = "gbpPodSubnet"
+	AciNetworkProviderFieldHostAgentLogLevel                    = "hostAgentLogLevel"
+	AciNetworkProviderFieldHppOptimization                      = "hppOptimization"
+	AciNetworkProviderFieldImagePullPolicy                      = "imagePullPolicy"
+	AciNetworkProviderFieldImagePullSecret                      = "imagePullSecret"
+	AciNetworkProviderFieldInfraVlan                            = "infraVlan"
+	AciNetworkProviderFieldInstallIstio                         = "installIstio"
+	AciNetworkProviderFieldIstioProfile                         = "istioProfile"
+	AciNetworkProviderFieldKafkaBrokers                         = "kafkaBrokers"
+	AciNetworkProviderFieldKafkaClientCrt                       = "kafkaClientCrt"
+	AciNetworkProviderFieldKafkaClientKey                       = "kafkaClientKey"
+	AciNetworkProviderFieldKubeAPIVlan                          = "kubeApiVlan"
+	AciNetworkProviderFieldL3Out                                = "l3out"
+	AciNetworkProviderFieldL3OutExternalNetworks                = "l3outExternalNetworks"
+	AciNetworkProviderFieldMTUHeadRoom                          = "mtuHeadRoom"
+	AciNetworkProviderFieldMaxNodesSvcGraph                     = "maxNodesSvcGraph"
+	AciNetworkProviderFieldMcastDaemonMemoryLimit               = "mcastDaemonMemoryLimit"
+	AciNetworkProviderFieldMcastDaemonMemoryRequest             = "mcastDaemonMemoryRequest"
+	AciNetworkProviderFieldMcastRangeEnd                        = "mcastRangeEnd"
+	AciNetworkProviderFieldMcastRangeStart                      = "mcastRangeStart"
+	AciNetworkProviderFieldMultusDisable                        = "multusDisable"
+	AciNetworkProviderFieldNoPriorityClass                      = "noPriorityClass"
+	AciNetworkProviderFieldNoWaitForServiceEpReadiness          = "noWaitForServiceEpReadiness"
+	AciNetworkProviderFieldNodePodIfEnable                      = "nodePodIfEnable"
+	AciNetworkProviderFieldNodeSubnet                           = "nodeSubnet"
+	AciNetworkProviderFieldOVSMemoryLimit                       = "ovsMemoryLimit"
+	AciNetworkProviderFieldOVSMemoryRequest                     = "ovsMemoryRequest"
+	AciNetworkProviderFieldOpflexAgentLogLevel                  = "opflexLogLevel"
+	AciNetworkProviderFieldOpflexAgentMemoryLimit               = "opflexAgentMemoryLimit"
+	AciNetworkProviderFieldOpflexAgentMemoryRequest             = "opflexAgentMemoryRequest"
+	AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled    = "opflexAgentOpflexAsyncjsonEnabled"
+	AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled       = "opflexAgentOvsAsyncjsonEnabled"
+	AciNetworkProviderFieldOpflexAgentPolicyRetryDelayTimer     = "opflexAgentPolicyRetryDelayTimer"
+	AciNetworkProviderFieldOpflexClientSSL                      = "opflexClientSsl"
+	AciNetworkProviderFieldOpflexDeviceDeleteTimeout            = "opflexDeviceDeleteTimeout"
+	AciNetworkProviderFieldOpflexDeviceReconnectWaitTimeout     = "opflexDeviceReconnectWaitTimeout"
+	AciNetworkProviderFieldOpflexMode                           = "opflexMode"
+	AciNetworkProviderFieldOpflexServerPort                     = "opflexServerPort"
+	AciNetworkProviderFieldOverlayVRFName                       = "overlayVrfName"
+	AciNetworkProviderFieldPBRTrackingNonSnat                   = "pbrTrackingNonSnat"
+	AciNetworkProviderFieldPodSubnetChunkSize                   = "podSubnetChunkSize"
+	AciNetworkProviderFieldRunGbpContainer                      = "runGbpContainer"
+	AciNetworkProviderFieldRunOpflexServerContainer             = "runOpflexServerContainer"
+	AciNetworkProviderFieldServiceGraphEndpointAddDelay         = "serviceGraphEndpointAddDelay"
+	AciNetworkProviderFieldServiceGraphEndpointAddServices      = "serviceGraphEndpointAddServices"
+	AciNetworkProviderFieldServiceGraphSubnet                   = "nodeSvcSubnet"
+	AciNetworkProviderFieldServiceMonitorInterval               = "serviceMonitorInterval"
+	AciNetworkProviderFieldServiceVlan                          = "serviceVlan"
+	AciNetworkProviderFieldSleepTimeSnatGlobalInfoSync          = "sleepTimeSnatGlobalInfoSync"
+	AciNetworkProviderFieldSnatContractScope                    = "snatContractScope"
+	AciNetworkProviderFieldSnatNamespace                        = "snatNamespace"
+	AciNetworkProviderFieldSnatPortRangeEnd                     = "snatPortRangeEnd"
+	AciNetworkProviderFieldSnatPortRangeStart                   = "snatPortRangeStart"
+	AciNetworkProviderFieldSnatPortsPerNode                     = "snatPortsPerNode"
+	AciNetworkProviderFieldSriovEnable                          = "sriovEnable"
+	AciNetworkProviderFieldStaticExternalSubnet                 = "externStatic"
+	AciNetworkProviderFieldSubnetDomainName                     = "subnetDomainName"
+	AciNetworkProviderFieldSystemIdentifier                     = "systemId"
+	AciNetworkProviderFieldTenant                               = "tenant"
+	AciNetworkProviderFieldToken                                = "token"
+	AciNetworkProviderFieldUseAciAnywhereCRD                    = "useAciAnywhereCrd"
+	AciNetworkProviderFieldUseAciCniPriorityClass               = "useAciCniPriorityClass"
+	AciNetworkProviderFieldUseClusterRole                       = "useClusterRole"
+	AciNetworkProviderFieldUseHostNetnsVolume                   = "useHostNetnsVolume"
+	AciNetworkProviderFieldUseOpflexServerVolume                = "useOpflexServerVolume"
+	AciNetworkProviderFieldUsePrivilegedContainer               = "usePrivilegedContainer"
+	AciNetworkProviderFieldUseSystemNodePriorityClass           = "useSystemNodePriorityClass"
+	AciNetworkProviderFieldVRFName                              = "vrfName"
+	AciNetworkProviderFieldVRFTenant                            = "vrfTenant"
+	AciNetworkProviderFieldVmmController                        = "vmmController"
+	AciNetworkProviderFieldVmmDomain                            = "vmmDomain"
 )
 
 type AciNetworkProvider struct {
-	AEP                               string              `json:"aep,omitempty" yaml:"aep,omitempty"`
-	AddExternalSubnetsToRdconfig      string              `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"`
-	ApicHosts                         []string            `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"`
-	ApicRefreshTickerAdjust           string              `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"`
-	ApicRefreshTime                   string              `json:"apicRefreshTime,omitempty" yaml:"apicRefreshTime,omitempty"`
-	ApicSubscriptionDelay             string              `json:"apicSubscriptionDelay,omitempty" yaml:"apicSubscriptionDelay,omitempty"`
-	ApicUserCrt                       string              `json:"apicUserCrt,omitempty" yaml:"apicUserCrt,omitempty"`
-	ApicUserKey                       string              `json:"apicUserKey,omitempty" yaml:"apicUserKey,omitempty"`
-	ApicUserName                      string              `json:"apicUserName,omitempty" yaml:"apicUserName,omitempty"`
-	CApic                             string              `json:"capic,omitempty" yaml:"capic,omitempty"`
-	ControllerLogLevel                string              `json:"controllerLogLevel,omitempty" yaml:"controllerLogLevel,omitempty"`
-	DisablePeriodicSnatGlobalInfoSync string              `json:"disablePeriodicSnatGlobalInfoSync,omitempty" yaml:"disablePeriodicSnatGlobalInfoSync,omitempty"`
-	DisableWaitForNetwork             string              `json:"disableWaitForNetwork,omitempty" yaml:"disableWaitForNetwork,omitempty"`
-	DropLogEnable                     string              `json:"dropLogEnable,omitempty" yaml:"dropLogEnable,omitempty"`
-	DurationWaitForNetwork            string              `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"`
-	DynamicExternalSubnet             string              `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"`
-	EnableEndpointSlice               string              `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"`
-	EncapType                         string              `json:"encapType,omitempty" yaml:"encapType,omitempty"`
-	EpRegistry                        string              `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"`
-	GbpPodSubnet                      string              `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"`
-	HostAgentLogLevel                 string              `json:"hostAgentLogLevel,omitempty" yaml:"hostAgentLogLevel,omitempty"`
-	HppOptimization                   string              `json:"hppOptimization,omitempty" yaml:"hppOptimization,omitempty"`
-	ImagePullPolicy                   string              `json:"imagePullPolicy,omitempty" yaml:"imagePullPolicy,omitempty"`
-	ImagePullSecret                   string              `json:"imagePullSecret,omitempty" yaml:"imagePullSecret,omitempty"`
-	InfraVlan                         string              `json:"infraVlan,omitempty" yaml:"infraVlan,omitempty"`
-	InstallIstio                      string              `json:"installIstio,omitempty" yaml:"installIstio,omitempty"`
-	IstioProfile                      string              `json:"istioProfile,omitempty" yaml:"istioProfile,omitempty"`
-	KafkaBrokers                      []string            `json:"kafkaBrokers,omitempty" yaml:"kafkaBrokers,omitempty"`
-	KafkaClientCrt                    string              `json:"kafkaClientCrt,omitempty" yaml:"kafkaClientCrt,omitempty"`
-	KafkaClientKey                    string              `json:"kafkaClientKey,omitempty" yaml:"kafkaClientKey,omitempty"`
-	KubeAPIVlan                       string              `json:"kubeApiVlan,omitempty" yaml:"kubeApiVlan,omitempty"`
-	L3Out                             string              `json:"l3out,omitempty" yaml:"l3out,omitempty"`
-	L3OutExternalNetworks             []string            `json:"l3outExternalNetworks,omitempty" yaml:"l3outExternalNetworks,omitempty"`
-	MTUHeadRoom                       string              `json:"mtuHeadRoom,omitempty" yaml:"mtuHeadRoom,omitempty"`
-	MaxNodesSvcGraph                  string              `json:"maxNodesSvcGraph,omitempty" yaml:"maxNodesSvcGraph,omitempty"`
-	McastRangeEnd                     string              `json:"mcastRangeEnd,omitempty" yaml:"mcastRangeEnd,omitempty"`
-	McastRangeStart                   string              `json:"mcastRangeStart,omitempty" yaml:"mcastRangeStart,omitempty"`
-	MultusDisable                     string              `json:"multusDisable,omitempty" yaml:"multusDisable,omitempty"`
-	NoPriorityClass                   string              `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"`
-	NoWaitForServiceEpReadiness       string              `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"`
-	NodePodIfEnable                   string              `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"`
-	NodeSubnet                        string              `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"`
-	OVSMemoryLimit                    string              `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"`
-	OpflexAgentLogLevel               string              `json:"opflexLogLevel,omitempty" yaml:"opflexLogLevel,omitempty"`
-	OpflexAgentOpflexAsyncjsonEnabled string              `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"`
-	OpflexAgentOvsAsyncjsonEnabled    string              `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"`
-	OpflexClientSSL                   string              `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"`
-	OpflexDeviceDeleteTimeout         string              `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"`
-	OpflexMode                        string              `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"`
-	OpflexServerPort                  string              `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"`
-	OverlayVRFName                    string              `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"`
-	PBRTrackingNonSnat                string              `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"`
-	PodSubnetChunkSize                string              `json:"podSubnetChunkSize,omitempty" yaml:"podSubnetChunkSize,omitempty"`
-	RunGbpContainer                   string              `json:"runGbpContainer,omitempty" yaml:"runGbpContainer,omitempty"`
-	RunOpflexServerContainer          string              `json:"runOpflexServerContainer,omitempty" yaml:"runOpflexServerContainer,omitempty"`
-	ServiceGraphEndpointAddDelay      string              `json:"serviceGraphEndpointAddDelay,omitempty" yaml:"serviceGraphEndpointAddDelay,omitempty"`
-	ServiceGraphEndpointAddServices   []map[string]string `json:"serviceGraphEndpointAddServices,omitempty" yaml:"serviceGraphEndpointAddServices,omitempty"`
-	ServiceGraphSubnet                string              `json:"nodeSvcSubnet,omitempty" yaml:"nodeSvcSubnet,omitempty"`
-	ServiceMonitorInterval            string              `json:"serviceMonitorInterval,omitempty" yaml:"serviceMonitorInterval,omitempty"`
-	ServiceVlan                       string              `json:"serviceVlan,omitempty" yaml:"serviceVlan,omitempty"`
-	SleepTimeSnatGlobalInfoSync       string              `json:"sleepTimeSnatGlobalInfoSync,omitempty" yaml:"sleepTimeSnatGlobalInfoSync,omitempty"`
-	SnatContractScope                 string              `json:"snatContractScope,omitempty" yaml:"snatContractScope,omitempty"`
-	SnatNamespace                     string              `json:"snatNamespace,omitempty" yaml:"snatNamespace,omitempty"`
-	SnatPortRangeEnd                  string              `json:"snatPortRangeEnd,omitempty" yaml:"snatPortRangeEnd,omitempty"`
-	SnatPortRangeStart                string              `json:"snatPortRangeStart,omitempty" yaml:"snatPortRangeStart,omitempty"`
-	SnatPortsPerNode                  string              `json:"snatPortsPerNode,omitempty" yaml:"snatPortsPerNode,omitempty"`
-	SriovEnable                       string              `json:"sriovEnable,omitempty" yaml:"sriovEnable,omitempty"`
-	StaticExternalSubnet              string              `json:"externStatic,omitempty" yaml:"externStatic,omitempty"`
-	SubnetDomainName                  string              `json:"subnetDomainName,omitempty" yaml:"subnetDomainName,omitempty"`
-	SystemIdentifier                  string              `json:"systemId,omitempty" yaml:"systemId,omitempty"`
-	Tenant                            string              `json:"tenant,omitempty" yaml:"tenant,omitempty"`
-	Token                             string              `json:"token,omitempty" yaml:"token,omitempty"`
-	UseAciAnywhereCRD                 string              `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"`
-	UseAciCniPriorityClass            string              `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"`
-	UseClusterRole                    string              `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"`
-	UseHostNetnsVolume                string              `json:"useHostNetnsVolume,omitempty" yaml:"useHostNetnsVolume,omitempty"`
-	UseOpflexServerVolume             string              `json:"useOpflexServerVolume,omitempty" yaml:"useOpflexServerVolume,omitempty"`
-	UsePrivilegedContainer            string              `json:"usePrivilegedContainer,omitempty" yaml:"usePrivilegedContainer,omitempty"`
-	VRFName                           string              `json:"vrfName,omitempty" yaml:"vrfName,omitempty"`
-	VRFTenant                         string              `json:"vrfTenant,omitempty" yaml:"vrfTenant,omitempty"`
-	VmmController                     string              `json:"vmmController,omitempty" yaml:"vmmController,omitempty"`
-	VmmDomain                         string              `json:"vmmDomain,omitempty" yaml:"vmmDomain,omitempty"`
+	AEP                                  string              `json:"aep,omitempty" yaml:"aep,omitempty"`
+	AccProvisionOperatorMemoryLimit      string              `json:"accProvisionOperatorMemoryLimit,omitempty" yaml:"accProvisionOperatorMemoryLimit,omitempty"`
+	AccProvisionOperatorMemoryRequest    string              `json:"accProvisionOperatorMemoryRequest,omitempty" yaml:"accProvisionOperatorMemoryRequest,omitempty"`
+	AciContainersControllerMemoryLimit   string              `json:"aciContainersControllerMemoryLimit,omitempty" yaml:"aciContainersControllerMemoryLimit,omitempty"`
+	AciContainersControllerMemoryRequest string              `json:"aciContainersControllerMemoryRequest,omitempty" yaml:"aciContainersControllerMemoryRequest,omitempty"`
+	AciContainersHostMemoryLimit         string              `json:"aciContainersHostMemoryLimit,omitempty" yaml:"aciContainersHostMemoryLimit,omitempty"`
+	AciContainersHostMemoryRequest       string              `json:"aciContainersHostMemoryRequest,omitempty" yaml:"aciContainersHostMemoryRequest,omitempty"`
+	AciContainersMemoryLimit             string              `json:"aciContainersMemoryLimit,omitempty" yaml:"aciContainersMemoryLimit,omitempty"`
+	AciContainersMemoryRequest           string              `json:"aciContainersMemoryRequest,omitempty" yaml:"aciContainersMemoryRequest,omitempty"`
+	AciContainersOperatorMemoryLimit     string              `json:"aciContainersOperatorMemoryLimit,omitempty" yaml:"aciContainersOperatorMemoryLimit,omitempty"`
+	AciContainersOperatorMemoryRequest   string              `json:"aciContainersOperatorMemoryRequest,omitempty" yaml:"aciContainersOperatorMemoryRequest,omitempty"`
+	AciMultipod                          string              `json:"aciMultipod,omitempty" yaml:"aciMultipod,omitempty"`
+	AciMultipodUbuntu                    string              `json:"aciMultipodUbuntu,omitempty" yaml:"aciMultipodUbuntu,omitempty"`
+	AddExternalSubnetsToRdconfig         string              `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"`
+	ApicHosts                            []string            `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"`
+	ApicRefreshTickerAdjust              string              `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"`
+	ApicRefreshTime                      string              `json:"apicRefreshTime,omitempty" yaml:"apicRefreshTime,omitempty"`
+	ApicSubscriptionDelay                string              `json:"apicSubscriptionDelay,omitempty" yaml:"apicSubscriptionDelay,omitempty"`
+	ApicUserCrt                          string              `json:"apicUserCrt,omitempty" yaml:"apicUserCrt,omitempty"`
+	ApicUserKey                          string              `json:"apicUserKey,omitempty" yaml:"apicUserKey,omitempty"`
+	ApicUserName                         string              `json:"apicUserName,omitempty" yaml:"apicUserName,omitempty"`
+	CApic                                string              `json:"capic,omitempty" yaml:"capic,omitempty"`
+	ControllerLogLevel                   string              `json:"controllerLogLevel,omitempty" yaml:"controllerLogLevel,omitempty"`
+	DhcpDelay                            string              `json:"dhcpDelay,omitempty" yaml:"dhcpDelay,omitempty"`
+	DhcpRenewMaxRetryCount               string              `json:"dhcpRenewMaxRetryCount,omitempty" yaml:"dhcpRenewMaxRetryCount,omitempty"`
+	DisablePeriodicSnatGlobalInfoSync    string              `json:"disablePeriodicSnatGlobalInfoSync,omitempty" yaml:"disablePeriodicSnatGlobalInfoSync,omitempty"`
+	DisableWaitForNetwork                string              `json:"disableWaitForNetwork,omitempty" yaml:"disableWaitForNetwork,omitempty"`
+	DropLogEnable                        string              `json:"dropLogEnable,omitempty" yaml:"dropLogEnable,omitempty"`
+	DurationWaitForNetwork               string              `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"`
+	DynamicExternalSubnet                string              `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"`
+	EnableEndpointSlice                  string              `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"`
+	EncapType                            string              `json:"encapType,omitempty" yaml:"encapType,omitempty"`
+	EpRegistry                           string              `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"`
+	GbpPodSubnet                         string              `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"`
+	HostAgentLogLevel                    string              `json:"hostAgentLogLevel,omitempty" yaml:"hostAgentLogLevel,omitempty"`
+	HppOptimization                      string              `json:"hppOptimization,omitempty" yaml:"hppOptimization,omitempty"`
+	ImagePullPolicy                      string              `json:"imagePullPolicy,omitempty" yaml:"imagePullPolicy,omitempty"`
+	ImagePullSecret                      string              `json:"imagePullSecret,omitempty" yaml:"imagePullSecret,omitempty"`
+	InfraVlan                            string              `json:"infraVlan,omitempty" yaml:"infraVlan,omitempty"`
+	InstallIstio                         string              `json:"installIstio,omitempty" yaml:"installIstio,omitempty"`
+	IstioProfile                         string              `json:"istioProfile,omitempty" yaml:"istioProfile,omitempty"`
+	KafkaBrokers                         []string            `json:"kafkaBrokers,omitempty" yaml:"kafkaBrokers,omitempty"`
+	KafkaClientCrt                       string              `json:"kafkaClientCrt,omitempty" yaml:"kafkaClientCrt,omitempty"`
+	KafkaClientKey                       string              `json:"kafkaClientKey,omitempty" yaml:"kafkaClientKey,omitempty"`
+	KubeAPIVlan                          string              `json:"kubeApiVlan,omitempty" yaml:"kubeApiVlan,omitempty"`
+	L3Out                                string              `json:"l3out,omitempty" yaml:"l3out,omitempty"`
+	L3OutExternalNetworks                []string            `json:"l3outExternalNetworks,omitempty" yaml:"l3outExternalNetworks,omitempty"`
+	MTUHeadRoom                          string              `json:"mtuHeadRoom,omitempty" yaml:"mtuHeadRoom,omitempty"`
+	MaxNodesSvcGraph                     string              `json:"maxNodesSvcGraph,omitempty" yaml:"maxNodesSvcGraph,omitempty"`
+	McastDaemonMemoryLimit               string              `json:"mcastDaemonMemoryLimit,omitempty" yaml:"mcastDaemonMemoryLimit,omitempty"`
+	McastDaemonMemoryRequest             string              `json:"mcastDaemonMemoryRequest,omitempty" yaml:"mcastDaemonMemoryRequest,omitempty"`
+	McastRangeEnd                        string              `json:"mcastRangeEnd,omitempty" yaml:"mcastRangeEnd,omitempty"`
+	McastRangeStart                      string              `json:"mcastRangeStart,omitempty" yaml:"mcastRangeStart,omitempty"`
+	MultusDisable                        string              `json:"multusDisable,omitempty" yaml:"multusDisable,omitempty"`
+	NoPriorityClass                      string              `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"`
+	NoWaitForServiceEpReadiness          string              `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"`
+	NodePodIfEnable                      string              `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"`
+	NodeSubnet                           string              `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"`
+	OVSMemoryLimit                       string              `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"`
+	OVSMemoryRequest                     string              `json:"ovsMemoryRequest,omitempty" yaml:"ovsMemoryRequest,omitempty"`
+	OpflexAgentLogLevel                  string              `json:"opflexLogLevel,omitempty" yaml:"opflexLogLevel,omitempty"`
+	OpflexAgentMemoryLimit               string              `json:"opflexAgentMemoryLimit,omitempty" yaml:"opflexAgentMemoryLimit,omitempty"`
+	OpflexAgentMemoryRequest             string              `json:"opflexAgentMemoryRequest,omitempty" yaml:"opflexAgentMemoryRequest,omitempty"`
+	OpflexAgentOpflexAsyncjsonEnabled    string              `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"`
+	OpflexAgentOvsAsyncjsonEnabled       string              `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"`
+	OpflexAgentPolicyRetryDelayTimer     string              `json:"opflexAgentPolicyRetryDelayTimer,omitempty" yaml:"opflexAgentPolicyRetryDelayTimer,omitempty"`
+	OpflexClientSSL                      string              `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"`
+	OpflexDeviceDeleteTimeout            string              `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"`
+	OpflexDeviceReconnectWaitTimeout     string              `json:"opflexDeviceReconnectWaitTimeout,omitempty" yaml:"opflexDeviceReconnectWaitTimeout,omitempty"`
+	OpflexMode                           string              `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"`
+	OpflexServerPort                     string              `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"`
+	OverlayVRFName                       string              `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"`
+	PBRTrackingNonSnat                   string              `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"`
+	PodSubnetChunkSize                   string              `json:"podSubnetChunkSize,omitempty" yaml:"podSubnetChunkSize,omitempty"`
+	RunGbpContainer                      string              `json:"runGbpContainer,omitempty" yaml:"runGbpContainer,omitempty"`
+	RunOpflexServerContainer             string              `json:"runOpflexServerContainer,omitempty" yaml:"runOpflexServerContainer,omitempty"`
+	ServiceGraphEndpointAddDelay         string              `json:"serviceGraphEndpointAddDelay,omitempty" yaml:"serviceGraphEndpointAddDelay,omitempty"`
+	ServiceGraphEndpointAddServices      []map[string]string `json:"serviceGraphEndpointAddServices,omitempty" yaml:"serviceGraphEndpointAddServices,omitempty"`
+	ServiceGraphSubnet                   string              `json:"nodeSvcSubnet,omitempty" yaml:"nodeSvcSubnet,omitempty"`
+	ServiceMonitorInterval               string              `json:"serviceMonitorInterval,omitempty" yaml:"serviceMonitorInterval,omitempty"`
+	ServiceVlan                          string              `json:"serviceVlan,omitempty" yaml:"serviceVlan,omitempty"`
+	SleepTimeSnatGlobalInfoSync          string              `json:"sleepTimeSnatGlobalInfoSync,omitempty" yaml:"sleepTimeSnatGlobalInfoSync,omitempty"`
+	SnatContractScope                    string              `json:"snatContractScope,omitempty" yaml:"snatContractScope,omitempty"`
+	SnatNamespace                        string              `json:"snatNamespace,omitempty" yaml:"snatNamespace,omitempty"`
+	SnatPortRangeEnd                     string              `json:"snatPortRangeEnd,omitempty" yaml:"snatPortRangeEnd,omitempty"`
+	SnatPortRangeStart                   string              `json:"snatPortRangeStart,omitempty" yaml:"snatPortRangeStart,omitempty"`
+	SnatPortsPerNode                     string              `json:"snatPortsPerNode,omitempty" yaml:"snatPortsPerNode,omitempty"`
+	SriovEnable                          string              `json:"sriovEnable,omitempty" yaml:"sriovEnable,omitempty"`
+	StaticExternalSubnet                 string              `json:"externStatic,omitempty" yaml:"externStatic,omitempty"`
+	SubnetDomainName                     string              `json:"subnetDomainName,omitempty" yaml:"subnetDomainName,omitempty"`
+	SystemIdentifier                     string              `json:"systemId,omitempty" yaml:"systemId,omitempty"`
+	Tenant                               string              `json:"tenant,omitempty" yaml:"tenant,omitempty"`
+	Token                                string              `json:"token,omitempty" yaml:"token,omitempty"`
+	UseAciAnywhereCRD                    string              `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"`
+	UseAciCniPriorityClass               string              `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"`
+	UseClusterRole                       string              `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"`
+	UseHostNetnsVolume                   string              `json:"useHostNetnsVolume,omitempty" yaml:"useHostNetnsVolume,omitempty"`
+	UseOpflexServerVolume                string              `json:"useOpflexServerVolume,omitempty" yaml:"useOpflexServerVolume,omitempty"`
+	UsePrivilegedContainer               string              `json:"usePrivilegedContainer,omitempty" yaml:"usePrivilegedContainer,omitempty"`
+	UseSystemNodePriorityClass           string              `json:"useSystemNodePriorityClass,omitempty" yaml:"useSystemNodePriorityClass,omitempty"`
+	VRFName                              string              `json:"vrfName,omitempty" yaml:"vrfName,omitempty"`
+	VRFTenant                            string              `json:"vrfTenant,omitempty" yaml:"vrfTenant,omitempty"`
+	VmmController                        string              `json:"vmmController,omitempty" yaml:"vmmController,omitempty"`
+	VmmDomain                            string              `json:"vmmDomain,omitempty" yaml:"vmmDomain,omitempty"`
 }
  • pkg/client/go.mod+1 1 modified
    @@ -5,7 +5,7 @@ go 1.17
 replace k8s.io/client-go => k8s.io/client-go v0.18.8
 
 require (
-	github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a
+	github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b
 	k8s.io/apimachinery v0.24.0
 )
  • pkg/client/go.sum+2 2 modified
    @@ -500,8 +500,8 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T
 github.com/qri-io/starlib v0.4.2-0.20200213133954-ff2e8cd5ef8d/go.mod h1:7DPO4domFU579Ga6E61sB9VFNaniPVwJP5C4bBCu3wA=
 github.com/rancher/lasso v0.0.0-20200820172840-0e4cc0ef5cb0/go.mod h1:OhBBBO1pBwYp0hacWdnvSGOj+XE9yMLOLnaypIlic18=
 github.com/rancher/lasso v0.0.0-20220519004610-700f167d8324/go.mod h1:T6WoUopOHBWTGjnphruTJAgoZ+dpm6llvn6GDYaa7Kw=
-github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a h1:sAnJ58als7qhLCzsIUjvawoHgojPOazxFi7xMi6r/d4=
-github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk=
+github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b h1:DEDBVlylKTCC6KPl3BnPqsw3+aVygmcYwpJv3AJnOo0=
+github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk=
 github.com/rancher/wrangler v0.6.2-0.20200820173016-2068de651106 h1:ed0NTDvIwulez4zVvBZ1U7mFe2PBxtHvJ9bn2l9bcZ8=
 github.com/rancher/wrangler v0.6.2-0.20200820173016-2068de651106/go.mod h1:iKqQcYs4YSDjsme52OZtQU4jHPmLlIiM93aj2c8c/W8=
 github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
  • pkg/controllers/managementuser/rbac/cluster_handler.go+7 0 modified
    @@ -9,16 +9,23 @@ import (
 	"github.com/rancher/rancher/pkg/rbac"
 	"github.com/rancher/rancher/pkg/types/config"
 	k8srbac "k8s.io/api/rbac/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/tools/cache"
 )
 
 const (
 	grbByRoleIndex = "management.cattle.io/grb-by-role"
 )
 
+var (
+	errNotFound     = apierrors.NewNotFound(schema.GroupResource{}, "")
+	errAlreadyExist = apierrors.NewAlreadyExists(schema.GroupResource{}, "")
+)
+
 func newClusterHandler(workload *config.UserContext) v3.ClusterHandlerFunc { //*clusterHandler {
 	informer := workload.Management.Management.GlobalRoleBindings("").Controller().Informer()
  • pkg/controllers/managementuser/rbac/handler_base_test.go+168 31 modified
    @@ -4,32 +4,180 @@ import (
 	"fmt"
 	"testing"
 
+	apimgmtv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
-	fakes "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3/fakes"
+	"github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3/fakes"
+	fakes2 "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes"
 	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime/schema"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 )
 
-var roles = map[string]*v3.RoleTemplate{
-	"recursive1": {
-		RoleTemplateNames: []string{"recursive2"},
-	},
-	"recursive2": {
-		RoleTemplateNames: []string{"recursive1"},
-	},
-	"non-recursive": {},
-	"inherit non-recursive": {
-		RoleTemplateNames: []string{"non-recursive"},
-	},
+var (
+	recursiveTestRoleTemplates = map[string]*v3.RoleTemplate{
+		"recursive1": {
+			RoleTemplateNames: []string{"recursive2"},
+		},
+		"recursive2": {
+			RoleTemplateNames: []string{"recursive1"},
+		},
+		"non-recursive": {},
+		"inherit non-recursive": {
+			RoleTemplateNames: []string{"non-recursive"},
+		},
+	}
+	createNSRoleTemplate = &v3.RoleTemplate{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "create-ns",
+		},
+		Builtin: true,
+		Rules: []v1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"namespaces"},
+				Verbs:     []string{"create"},
+			},
+		},
+	}
+)
+
+type clientErrs struct {
+	getError    error
+	updateError error
+	createError error
 }
 
-func Test_gatherRoles(t *testing.T) {
-	manager := &manager{
+func setupManager(roleTemplates map[string]*v3.RoleTemplate, clusterRoles map[string]*v1.ClusterRole, roles map[string]*v1.Role, projects map[string]*v3.Project, crErrs, rtErrs, rErrs clientErrs) *manager {
+	return &manager{
 		rtLister: &fakes.RoleTemplateListerMock{
-			GetFunc: roleListerGetFunc,
+			GetFunc: func(namespace string, name string) (*v3.RoleTemplate, error) {
+				if rtErrs.getError != nil {
+					return nil, rtErrs.getError
+				}
+				rt, ok := roleTemplates[name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return rt.DeepCopy(), nil
+			},
+			ListFunc: func(namespace string, selector labels.Selector) ([]*v3.RoleTemplate, error) {
+				rts := make([]*v3.RoleTemplate, len(roleTemplates))
+				for i := range roleTemplates {
+					rts = append(rts, roleTemplates[i])
+				}
+				return rts, nil
+			},
 		},
+		crLister: &fakes2.ClusterRoleListerMock{
+			GetFunc: func(namespace string, name string) (*v1.ClusterRole, error) {
+				if crErrs.getError != nil {
+					return nil, crErrs.getError
+				}
+				cr, ok := clusterRoles[name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return cr.DeepCopy(), nil
+			},
+			ListFunc: func(namespace string, selector labels.Selector) ([]*v1.ClusterRole, error) {
+				crs := make([]*v1.ClusterRole, len(roleTemplates))
+				for i := range clusterRoles {
+					crs = append(crs, clusterRoles[i])
+				}
+				return crs, nil
+			},
+		},
+		clusterRoles: &fakes2.ClusterRoleInterfaceMock{
+			GetFunc: func(name string, opts metav1.GetOptions) (*v1.ClusterRole, error) {
+				if crErrs.getError != nil {
+					return nil, crErrs.getError
+				}
+				cr, ok := clusterRoles[name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return cr.DeepCopy(), nil
+			},
+			UpdateFunc: func(cr *v1.ClusterRole) (*v1.ClusterRole, error) {
+				if crErrs.updateError != nil {
+					return nil, crErrs.updateError
+				}
+				_, ok := clusterRoles[cr.Name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), cr.Name)
+				}
+				clusterRoles[cr.Name] = cr
+				return clusterRoles[cr.Name].DeepCopy(), nil
+			},
+			CreateFunc: func(cr *v1.ClusterRole) (*v1.ClusterRole, error) {
+				if crErrs.createError != nil {
+					return nil, crErrs.createError
+				}
+				_, ok := clusterRoles[cr.Name]
+				if ok {
+					return nil, errors.NewAlreadyExists(v3.RoleTemplateGroupVersionResource.GroupResource(), cr.Name)
+				}
+				clusterRoles[cr.Name] = cr
+				return clusterRoles[cr.Name].DeepCopy(), nil
+			},
+		},
+		rLister: &fakes2.RoleListerMock{
+			GetFunc: func(namespace string, name string) (*v1.Role, error) {
+				if rErrs.getError != nil {
+					return nil, rErrs.getError
+				}
+				key := fmt.Sprintf("%s:%s", namespace, name)
+				r, ok := roles[key]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return r.DeepCopy(), nil
+			},
+			ListFunc: func(namespace string, selector labels.Selector) ([]*v1.Role, error) {
+				rs := make([]*v1.Role, len(roles))
+				for i := range roles {
+					rs = append(rs, roles[i])
+				}
+				return rs, nil
+			},
+		},
+		roles: &fakes2.RoleInterfaceMock{
+			UpdateFunc: func(r *v1.Role) (*v1.Role, error) {
+				key := fmt.Sprintf("%s:%s", r.Namespace, r.Name)
+				_, ok := roles[key]
+				if ok {
+					return nil, errors.NewAlreadyExists(v3.RoleTemplateGroupVersionResource.GroupResource(), key)
+				}
+				roles[r.Name] = r
+				return roles[r.Name].DeepCopy(), nil
+			},
+			GetNamespacedFunc: func(namespace string, name string, opts metav1.GetOptions) (*v1.Role, error) {
+				key := fmt.Sprintf("%s:%s", namespace, name)
+				r, ok := roles[key]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return r.DeepCopy(), nil
+			},
+		},
+		projectLister: &fakes.ProjectListerMock{
+			ListFunc: func(namespace string, selector labels.Selector) ([]*apimgmtv3.Project, error) {
+				rs := make([]*v3.Project, len(projects))
+				for i := range projects {
+					rs = append(rs, projects[i])
+				}
+				return rs, nil
+			},
+		},
+		clusterName: "testcluster",
 	}
+}
+
+func Test_gatherRoles(t *testing.T) {
+	m := setupManager(recursiveTestRoleTemplates, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{})
+
 	emptyRoleTemplates := make(map[string]*v3.RoleTemplate)
 	type args struct {
 		rt            *v3.RoleTemplate
@@ -44,7 +192,7 @@ func Test_gatherRoles(t *testing.T) {
 		{
 			name: "Non-recursive role, none inherited",
 			args: args{
-				rt:            roles["non-recursive"],
+				rt:            recursiveTestRoleTemplates["non-recursive"],
 				roleTemplates: emptyRoleTemplates,
 				depthCounter:  0,
 			},
@@ -53,7 +201,7 @@ func Test_gatherRoles(t *testing.T) {
 		{
 			name: "Non-recursive role, inherits another",
 			args: args{
-				rt:            roles["inherit non-recursive"],
+				rt:            recursiveTestRoleTemplates["inherit non-recursive"],
 				roleTemplates: emptyRoleTemplates,
 				depthCounter:  0,
 			},
@@ -62,7 +210,7 @@ func Test_gatherRoles(t *testing.T) {
 		{
 			name: "Recursive role",
 			args: args{
-				rt:            roles["recursive1"],
+				rt:            recursiveTestRoleTemplates["recursive1"],
 				roleTemplates: emptyRoleTemplates,
 				depthCounter:  0,
 			},
@@ -72,7 +220,7 @@ func Test_gatherRoles(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := manager.gatherRoles(tt.args.rt, tt.args.roleTemplates, tt.args.depthCounter)
+			err := m.gatherRoles(tt.args.rt, tt.args.roleTemplates, tt.args.depthCounter)
 			if tt.wantErr {
 				assert.Error(t, err, "expected an error, received none")
 			} else {
@@ -81,14 +229,3 @@ func Test_gatherRoles(t *testing.T) {
 		})
 	}
 }
-
-func roleListerGetFunc(ns, name string) (*v3.RoleTemplate, error) {
-	role, ok := roles[name]
-	if !ok {
-		return nil, errors.NewNotFound(schema.GroupResource{
-			Group:    v3.RoleTemplateGroupVersionKind.Group,
-			Resource: v3.RoleTemplateGroupVersionResource.Resource,
-		}, name)
-	}
-	return role, nil
-}
  • pkg/controllers/managementuser/rbac/namespace_handler.go+2 2 modified
    @@ -334,7 +334,7 @@ func (n *nsLifecycle) reconcileNamespaceProjectClusterRole(ns *v1.Namespace) err
 			return err
 		}
 
-		roleCli := n.m.workload.RBAC.ClusterRoles("")
+		roleCli := n.m.clusterRoles
 		nsInDesiredRole := false
 		for _, c := range clusterRoles {
 			cr, ok := c.(*rbacv1.ClusterRole)
@@ -442,7 +442,7 @@ func (n *nsLifecycle) reconcileNamespaceProjectClusterRole(ns *v1.Namespace) err
 }
 
 func (m *manager) createProjectNSRole(roleName, verb, ns, projectName string) error {
-	roleCli := m.workload.RBAC.ClusterRoles("")
+	roleCli := m.clusterRoles
 
 	cr := &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
  • pkg/controllers/managementuser/rbac/namespace_handler_test.go+138 31 modified
    @@ -6,11 +6,13 @@ import (
 
 	"github.com/rancher/rancher/pkg/apis/management.cattle.io"
 	apisV3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
+	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
 	"github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes"
-	"github.com/rancher/rancher/pkg/types/config"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	v1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	apierror "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -177,31 +179,6 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) {
 				},
 				err: test.indexerError,
 			}
-			fakeRBACInterface := &fakeRBAC{
-				clusterRoleFake: fakes.ClusterRoleInterfaceMock{
-					CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-						newRoles = append(newRoles, in)
-						if test.createError != nil {
-							return nil, test.createError
-						}
-						return in, nil
-					},
-					UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-						newRoles = append(newRoles, in)
-						if test.updateError != nil {
-							return nil, test.updateError
-						}
-						return in, nil
-					},
-					DeleteFunc: func(name string, options *metav1.DeleteOptions) error {
-						deletedRoleNames = append(deletedRoleNames, name)
-						if test.deleteError != nil {
-							return test.deleteError
-						}
-						return nil
-					},
-				},
-			}
 			fakeLister := &fakes.ClusterRoleListerMock{
 				GetFunc: func(namespace string, name string) (*rbacv1.ClusterRole, error) {
 					if test.getError != nil {
@@ -218,13 +195,34 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) {
 					}, name)
 				},
 			}
+			fakeClusterRoles := &fakes.ClusterRoleInterfaceMock{
+				CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+					newRoles = append(newRoles, in)
+					if test.createError != nil {
+						return nil, test.createError
+					}
+					return in, nil
+				},
+				UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+					newRoles = append(newRoles, in)
+					if test.updateError != nil {
+						return nil, test.updateError
+					}
+					return in, nil
+				},
+				DeleteFunc: func(name string, options *metav1.DeleteOptions) error {
+					deletedRoleNames = append(deletedRoleNames, name)
+					if test.deleteError != nil {
+						return test.deleteError
+					}
+					return nil
+				},
+			}
 			lifecycle := nsLifecycle{
 				m: &manager{
-					workload: &config.UserContext{
-						RBAC: fakeRBACInterface,
-					},
-					crLister:  fakeLister,
-					crIndexer: &indexer,
+					crLister:     fakeLister,
+					crIndexer:    &indexer,
+					clusterRoles: fakeClusterRoles,
 				},
 			}
 			err := lifecycle.reconcileNamespaceProjectClusterRole(&corev1.Namespace{
@@ -253,6 +251,115 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) {
 
 }
 
+func TestCreateProjectNSRole(t *testing.T) {
+	t.Parallel()
+	crs := make(map[string]*v1.ClusterRole)
+	m := setupManager(make(map[string]*v3.RoleTemplate), crs, make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{})
+	type testCase struct {
+		description   string
+		verb          string
+		namespace     string
+		projectName   string
+		startingCR    *v1.ClusterRole
+		expectedCR    *v1.ClusterRole
+		isErrExpected bool
+		expectedErr   string
+	}
+	testCases := []testCase{
+		{
+			description: "create get role",
+			verb:        "get",
+			projectName: "p-123xyz",
+			expectedCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-readonly",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-readonly",
+					},
+				},
+			},
+		},
+		{
+			description: "create edit role",
+			verb:        "*",
+			projectName: "p-123xyz",
+			expectedCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-edit",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-edit",
+					},
+				},
+				Rules: []v1.PolicyRule{
+					{
+						APIGroups:     []string{"management.cattle.io"},
+						Verbs:         []string{"manage-namespaces"},
+						Resources:     []string{"projects"},
+						ResourceNames: []string{"p-123xyz"},
+					},
+				},
+			},
+		},
+		{
+			description: "do not change role if already exists and return AlreadyExists error",
+			verb:        "*",
+			projectName: "p-123xyz",
+			expectedCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-edit",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-edit",
+					},
+				},
+				Rules: []v1.PolicyRule{
+					{
+						APIGroups:     []string{"management.cattle.io"},
+						Verbs:         []string{"manage-namespaces"},
+						Resources:     []string{"projects"},
+						ResourceNames: []string{"p-123xyz"},
+					},
+				},
+			},
+			startingCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-edit",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-edit",
+					},
+				},
+				Rules: []v1.PolicyRule{
+					{
+						APIGroups:     []string{"management.cattle.io"},
+						Verbs:         []string{"manage-namespaces"},
+						Resources:     []string{"projects"},
+						ResourceNames: []string{"p-123xyz"},
+					},
+				},
+			},
+			isErrExpected: true,
+			expectedErr:   "roletemplates.management.cattle.io \"p-123xyz-namespaces-edit\" already exists",
+		},
+	}
+	for _, test := range testCases {
+		if test.startingCR != nil {
+			crs[test.startingCR.Name] = test.startingCR
+		}
+		err := m.createProjectNSRole(fmt.Sprintf(projectNSGetClusterRoleNameFmt, test.projectName, projectNSVerbToSuffix[test.verb]), test.verb, test.namespace, test.projectName)
+		if test.isErrExpected {
+			assert.NotNil(t, err, test.description)
+		} else {
+			assert.Nil(t, err)
+		}
+		assert.Equal(t, test.expectedCR, crs[test.expectedCR.Name], test.description)
+		delete(crs, test.expectedCR.Name)
+	}
+	m = setupManager(make(map[string]*v3.RoleTemplate), crs, make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{createError: errors.NewInternalError(fmt.Errorf("some error"))}, clientErrs{}, clientErrs{})
+	description := "test should return non-AlreadyExists error"
+	err := m.createProjectNSRole(fmt.Sprintf(projectNSGetClusterRoleNameFmt, "p-123xyz", "edit"), "*", "", "p-123xyz")
+	assert.NotNil(t, err, description)
+	assert.Equal(t, "Internal error occurred: some error", err.Error(), description)
+}
+
 func createClusterRoleForProject(projectName string, namespace string, verb string) *rbacv1.ClusterRole {
 	cr := createBaseClusterRoleForProject(projectName, verb)
 	return addNamespaceToClusterRole(namespace, verb, cr)
  • pkg/controllers/managementuser/rbac/project_handler_test.go+14 25 modified
    @@ -7,7 +7,6 @@ import (
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
 	v1 "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1"
 	"github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes"
-	"github.com/rancher/rancher/pkg/types/config"
 	"github.com/stretchr/testify/assert"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apierror "k8s.io/apimachinery/pkg/api/errors"
@@ -103,17 +102,13 @@ func TestCreate(t *testing.T) {
 							}, name)
 						},
 					},
-					workload: &config.UserContext{
-						RBAC: &fakeRBAC{
-							clusterRoleFake: fakes.ClusterRoleInterfaceMock{
-								CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-									newCRs = append(newCRs, in)
-									if test.createErr != nil {
-										return nil, test.createErr
-									}
-									return in, nil
-								},
-							},
+					clusterRoles: &fakes.ClusterRoleInterfaceMock{
+						CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+							newCRs = append(newCRs, in)
+							if test.createErr != nil {
+								return nil, test.createErr
+							}
+							return in, nil
 						},
 					},
 				},
@@ -288,6 +283,13 @@ func TestUpdated(t *testing.T) {
 						},
 					},
 					clusterRoles: &fakes.ClusterRoleInterfaceMock{
+						CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+							newCRs = append(newCRs, in)
+							if test.createError != nil {
+								return nil, test.createError
+							}
+							return in, nil
+						},
 						UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
 							newCRs = append(newCRs, in)
 							if test.updError != nil {
@@ -296,19 +298,6 @@ func TestUpdated(t *testing.T) {
 							return in, nil
 						},
 					},
-					workload: &config.UserContext{
-						RBAC: &fakeRBAC{
-							clusterRoleFake: fakes.ClusterRoleInterfaceMock{
-								CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-									newCRs = append(newCRs, in)
-									if test.createError != nil {
-										return nil, test.createError
-									}
-									return in, nil
-								},
-							},
-						},
-					},
 				},
 			}
 			_, err := lifecycle.Updated(project)
  • pkg/controllers/managementuser/rbac/prtb_handler.go+15 2 modified
    @@ -3,6 +3,7 @@ package rbac
 import (
 	"reflect"
 	"sort"
+	"strings"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/pkg/errors"
@@ -161,7 +162,11 @@ func (p *prtbLifecycle) ensurePRTBDelete(binding *v3.ProjectRoleTemplateBinding)
 }
 
 func (p *prtbLifecycle) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, rts map[string]*v3.RoleTemplate) error {
-	_, err := p.m.reconcileProjectAccessToGlobalResources(binding, rts)
+	roles, err := p.m.ensureGlobalResourcesRolesForPRTB(parseProjectName(binding.ProjectName), rts)
+	if err != nil {
+		return err
+	}
+	_, err = p.m.reconcileProjectAccessToGlobalResources(binding, roles)
 	if err != nil {
 		return err
 	}
@@ -277,7 +282,7 @@ func (m *manager) checkForGlobalResourceRules(role *v3.RoleTemplate, resource st
 
 // Ensure the clusterRole used to grant access of global resources to users/groups in projects has appropriate rules for the given resource and verbs
 func (m *manager) reconcileRoleForProjectAccessToGlobalResource(resource string, rt *v3.RoleTemplate, newVerbs map[string]bool, baseRule rbacv1.PolicyRule) (string, error) {
-	clusterRoles := m.workload.RBAC.ClusterRoles("")
+	clusterRoles := m.clusterRoles
 	roleName := rt.Name + "-promoted"
 	if role, err := m.crLister.Get("", roleName); err == nil && role != nil {
 		currentVerbs := map[string]bool{}
@@ -465,3 +470,11 @@ func (p *prtbLifecycle) reconcilePRTBUserClusterLabels(binding *v3.ProjectRoleTe
 	})
 	return retryErr
 }
+
+func parseProjectName(id string) string {
+	parts := strings.SplitN(id, ":", 2)
+	if len(parts) != 2 || len(parts[1]) == 0 {
+		return ""
+	}
+	return parts[1]
+}
  • pkg/controllers/managementuser/rbac/reconcile_roletemplate.go+60 57 modified
    @@ -2,7 +2,6 @@ package rbac
 
 import (
 	"fmt"
-	"strings"
 
 	"github.com/rancher/norman/types/slice"
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
@@ -13,68 +12,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, rts map[string]*v3.RoleTemplate) (map[string]bool, error) {
-	var role string
-	var createNSPerms bool
-	var roles []string
-	if parts := strings.SplitN(binding.ProjectName, ":", 2); len(parts) == 2 && len(parts[1]) > 0 {
-		projectName := parts[1]
-		var roleVerb, roleSuffix string
-		for _, r := range rts {
-			for _, rule := range r.Rules {
-				if slice.ContainsString(rule.Resources, "namespaces") && len(rule.ResourceNames) == 0 {
-					if slice.ContainsString(rule.Verbs, "*") || slice.ContainsString(rule.Verbs, "create") {
-						roleVerb = "*"
-						createNSPerms = true
-						break
-					}
-				}
-
-			}
-		}
-		if roleVerb == "" {
-			roleVerb = "get"
-		}
-		roleSuffix = projectNSVerbToSuffix[roleVerb]
-		role = fmt.Sprintf(projectNSGetClusterRoleNameFmt, projectName, roleSuffix)
-		roles = append(roles, role)
-
-		for _, rt := range rts {
-			for resource, baseRule := range globalResourceRulesNeededInProjects {
-				verbs, err := m.checkForGlobalResourceRules(rt, resource, baseRule)
-				if err != nil {
-					return nil, err
-				}
-				if len(verbs) > 0 {
-					roleName, err := m.reconcileRoleForProjectAccessToGlobalResource(resource, rt, verbs, baseRule)
-					if err != nil {
-						return nil, err
-					}
-					roles = append(roles, roleName)
-				}
-			}
-		}
-	}
-
+func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, roles []string) (map[string]bool, error) {
 	if len(roles) == 0 {
 		return nil, nil
 	}
 
 	bindingCli := m.workload.RBAC.ClusterRoleBindings("")
 
-	if createNSPerms {
-		roles = append(roles, "create-ns")
-		if nsRole, _ := m.crLister.Get("", "create-ns"); nsRole == nil {
-			createNSRT, err := m.rtLister.Get("", "create-ns")
-			if err != nil {
-				return nil, err
-			}
-			if err := m.ensureRoles(map[string]*v3.RoleTemplate{"create-ns": createNSRT}); err != nil && !apierrors.IsAlreadyExists(err) {
-				return nil, err
-			}
-		}
-	}
-
 	rtbUID := binding.Namespace + "_" + binding.Name
 	subject, err := pkgrbac.BuildSubjectFromRTB(binding)
 	if err != nil {
@@ -147,3 +91,62 @@ func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRol
 
 	return crbsToKeep, nil
 }
+
+// EnsureGlobalResourcesRolesForPRTB ensures that all necessary roles exist and contain the rules needed to
+// enforce permissions described by RoleTemplate rules. A slice of strings indicating role names is returned.
+func (m *manager) ensureGlobalResourcesRolesForPRTB(projectName string, rts map[string]*v3.RoleTemplate) ([]string, error) {
+	var role string
+	var roles []string
+
+	if projectName == "" {
+		return nil, nil
+	}
+
+	var roleVerb, roleSuffix string
+	for _, r := range rts {
+		for _, rule := range r.Rules {
+			hasNamespaceResources := slice.ContainsString(rule.Resources, "namespaces") || slice.ContainsString(rule.Resources, "*")
+			hasNamespaceGroup := slice.ContainsString(rule.APIGroups, "") || slice.ContainsString(rule.APIGroups, "*")
+			if hasNamespaceGroup && hasNamespaceResources && len(rule.ResourceNames) == 0 {
+				if slice.ContainsString(rule.Verbs, "*") || slice.ContainsString(rule.Verbs, "create") {
+					roleVerb = "*"
+					roles = append(roles, "create-ns")
+					if nsRole, _ := m.crLister.Get("", "create-ns"); nsRole == nil {
+						createNSRT, err := m.rtLister.Get("", "create-ns")
+						if err != nil {
+							return nil, err
+						}
+						if err := m.ensureRoles(map[string]*v3.RoleTemplate{"create-ns": createNSRT}); err != nil && !apierrors.IsAlreadyExists(err) {
+							return nil, err
+						}
+					}
+					break
+				}
+			}
+
+		}
+	}
+	if roleVerb == "" {
+		roleVerb = "get"
+	}
+	roleSuffix = projectNSVerbToSuffix[roleVerb]
+	role = fmt.Sprintf(projectNSGetClusterRoleNameFmt, projectName, roleSuffix)
+	roles = append(roles, role)
+
+	for _, rt := range rts {
+		for resource, baseRule := range globalResourceRulesNeededInProjects {
+			verbs, err := m.checkForGlobalResourceRules(rt, resource, baseRule)
+			if err != nil {
+				return nil, err
+			}
+			if len(verbs) > 0 {
+				roleName, err := m.reconcileRoleForProjectAccessToGlobalResource(resource, rt, verbs, baseRule)
+				if err != nil {
+					return nil, err
+				}
+				roles = append(roles, roleName)
+			}
+		}
+	}
+	return roles, nil
+}
  • pkg/controllers/managementuser/rbac/reconcile_roletemplate_test.go+255 0 added
    @@ -0,0 +1,255 @@
+package rbac
+
+import (
+	"testing"
+
+	"github.com/pkg/errors"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+
+	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestEnsureGlobalResourcesRolesForPRTB(t *testing.T) {
+	t.Parallel()
+	m := setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{})
+	type testCase struct {
+		description   string
+		projectName   string
+		roleTemplates map[string]*v3.RoleTemplate
+		expectedRoles []string
+		isErrExpected bool
+	}
+	testCases := []testCase{
+		{
+			description:   "global resource rule should grant namespace read",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt1": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt1",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{""},
+							Resources: []string{"configmaps"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "namespace create rule should grant create-ns and a namespaces-edit role",
+			projectName:   "testproject",
+			expectedRoles: []string{"create-ns", "testproject-namespaces-edit"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt2": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt2",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"create"},
+							APIGroups: []string{""},
+							Resources: []string{"namespaces"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "namespace create rule for other API group should grant namespaces-read role only",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt3": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt3",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"create"},
+							APIGroups: []string{"some.other.apigroup"},
+							Resources: []string{"namespaces"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "namespace * rule for other API group should grant namespaces-read role only",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt4": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt4",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"some.other.apigroup"},
+							Resources: []string{"namespaces"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "global resource rule result in promoted role returned",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly", "testrt5-promoted"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt5": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt5",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"catalog.cattle.io"},
+							Resources: []string{"clusterrepos"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "empty project name will result in no roles returned",
+			projectName:   "",
+			expectedRoles: nil,
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt6": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt6",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"catalog.cattle.io"},
+							Resources: []string{"clusterrepos"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "* resources and non-core APIGroup should only result in namespace-readonly role",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt7": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt7",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"some.other.apigroup"},
+							Resources: []string{"*"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description: "* resources and * APIGroup should only result in namespace-readonly and promoted role",
+			projectName: "testproject",
+			// at the time of adding these tests ensureGlobalResourceRoleForPRTB returns duplicate promoted roles
+			// names per applicable rule found in globalResourceRulesNeededInProjects. This is not incompatible with
+			// current reconcile logic but should be fixed in the future.
+			expectedRoles: []string{"create-ns", "testproject-namespaces-edit", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt8": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt8",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"*"},
+							Resources: []string{"*"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "* resources and core (\"\") APIGroup should only result in namespace-readonly and promoted role",
+			projectName:   "testproject",
+			expectedRoles: []string{"create-ns", "testproject-namespaces-edit", "testrt9-promoted", "testrt9-promoted"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt9": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt9",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{""},
+							Resources: []string{"*"},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.description, func(t *testing.T) {
+			t.Parallel()
+			roles, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+			assert.Nil(t, err)
+			assert.Equal(t, test.expectedRoles, roles, test.description)
+		})
+	}
+
+	test := testCase{
+		projectName:   "testproject",
+		expectedRoles: []string{"create-ns", "testproject-namespaces-edit"},
+		roleTemplates: map[string]*v3.RoleTemplate{
+			"testrt": {
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "testrt",
+				},
+				Rules: []v1.PolicyRule{
+					{
+						Verbs:     []string{"create"},
+						APIGroups: []string{""},
+						Resources: []string{"namespaces"},
+					},
+				},
+			},
+		},
+	}
+	m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{getError: errNotFound}, clientErrs{})
+	test1 := test
+	test1.description = "error return when RoleTemplate client returns error"
+	t.Run(test.description, func(t *testing.T) {
+		t.Parallel()
+		_, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+		assert.NotNil(t, err)
+	})
+	m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{createError: errAlreadyExist})
+	test2 := test
+	test2.description = "error return when Role client returns error"
+	t.Run(test.description, func(t *testing.T) {
+		t.Parallel()
+		_, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+		assert.NotNil(t, err)
+	})
+	m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{getError: apierrors.NewInternalError(errors.New("error"))}, clientErrs{}, clientErrs{})
+	test3 := test
+	test3.description = "error return when ClusterRole client returns error and RoleTemplate is external"
+	test3.roleTemplates["testrt"].External = true
+	t.Run(test.description, func(t *testing.T) {
+		t.Parallel()
+		_, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+		assert.NotNil(t, err)
+	})
+}
  • pkg/controllers/managementuser/rbac/roletemplate_handler.go+10 6 modified
    @@ -54,18 +54,18 @@ func (c *rtSync) sync(key string, obj *v3.RoleTemplate) (runtime.Object, error)
 }
 
 func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []interface{}, crtbs []interface{}) error {
-	roles := map[string]*v3.RoleTemplate{}
-	if err := c.m.gatherRoles(template, roles, 0); err != nil {
+	roleTemplates := map[string]*v3.RoleTemplate{}
+	if err := c.m.gatherRoles(template, roleTemplates, 0); err != nil {
 		return err
 	}
 
-	if err := c.m.ensureRoles(roles); err != nil {
+	if err := c.m.ensureRoles(roleTemplates); err != nil {
 		return errors.Wrapf(err, "couldn't ensure roles")
 	}
 
 	rolesToKeep := make(map[string]bool)
 	if usedInProjects {
-		for _, rt := range roles {
+		for _, rt := range roleTemplates {
 			for resource, baseRule := range globalResourceRulesNeededInProjects {
 				verbs, err := c.m.checkForGlobalResourceRules(rt, resource, baseRule)
 				if err != nil {
@@ -88,6 +88,10 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 			continue
 		}
 
+		roles, err := c.m.ensureGlobalResourcesRolesForPRTB(parseProjectName(prtb.ProjectName), roleTemplates)
+		if err != nil {
+			return err
+		}
 		crbsToKeep, err := c.m.reconcileProjectAccessToGlobalResources(prtb, roles)
 		if err != nil {
 			return err
@@ -117,7 +121,7 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 			if !ns.DeletionTimestamp.IsZero() {
 				continue
 			}
-			if err := c.m.ensureProjectRoleBindings(ns.Name, roles, prtb); err != nil {
+			if err := c.m.ensureProjectRoleBindings(ns.Name, roleTemplates, prtb); err != nil {
 				return errors.Wrapf(err, "couldn't ensure binding %v in %v", prtb.Name, ns.Name)
 			}
 		}
@@ -128,7 +132,7 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 		if !ok {
 			continue
 		}
-		if err := c.m.ensureClusterBindings(roles, crtb); err != nil {
+		if err := c.m.ensureClusterBindings(roleTemplates, crtb); err != nil {
 			return err
 		}
 	}
  • pkg/generated/clientset/versioned/clientset.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/fake/clientset_generated.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/fake/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/fake/register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/scheme/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/scheme/register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/app.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/catalog.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/clusterrepo.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/fake/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/fake/fake_app.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/fake/fake_catalog.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/fake/fake_clusterrepo.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/fake/fake_operation.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/generated_expansion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/operation.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/fake/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/fake/fake_cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/fake/fake_provisioning.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/generated_expansion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/provisioning.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/custommachine.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/etcdsnapshot.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_custommachine.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_etcdsnapshot.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_rkebootstrap.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_rkebootstraptemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_rke.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_rkecluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_rkecontrolplane.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/generated_expansion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/rkebootstrap.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/rkebootstraptemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/rke.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/rkecluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/rkecontrolplane.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/fake/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/fake/fake_plan.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/fake/fake_upgrade.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/generated_expansion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/plan.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/upgrade.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/v1/app.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/v1/clusterrepo.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/v1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/v1/operation.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.cattle.io/v3/clusterauthtoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.cattle.io/v3/clusteruserattribute.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.cattle.io/v3/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/v1beta1/cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/v1beta1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/v1beta1/machinedeployment.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/v1beta1/machine.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/v1beta1/machineset.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/v1alpha1/bundle.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/v1alpha1/cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/v1alpha1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/activedirectoryprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/apiservice.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/authconfig.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/authprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/authtoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/azureadprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/catalog.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/catalogtemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/catalogtemplateversion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/cisbenchmarkversion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/cisconfig.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/cloudcredential.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusteralert.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusteralertgroup.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusteralertrule.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clustercatalog.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusterlogging.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clustermonitorgraph.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusterregistrationtoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusterroletemplatebinding.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusterscan.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clustertemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clustertemplaterevision.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/composeconfig.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/dynamicschema.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/etcdbackup.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/feature.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/fleetworkspace.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/freeipaprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/githubprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/globaldns.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/globaldnsprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/globalrolebinding.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/globalrole.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/googleoauthprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/group.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/groupmember.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/kontainerdriver.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/localprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/managedchart.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/monitormetric.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/multiclusterapp.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/multiclusterapprevision.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/nodedriver.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/node.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/nodepool.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/nodetemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/notifier.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/oidcprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/openldapprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/podsecuritypolicytemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/podsecuritypolicytemplateprojectbinding.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/preference.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/principal.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectalert.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectalertgroup.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectalertrule.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectcatalog.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/project.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectlogging.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectmonitorgraph.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectnetworkpolicy.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectroletemplatebinding.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/rancherusernotification.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/rkeaddon.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/rkek8sserviceoption.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/rkek8ssystemimage.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/roletemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/samlprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/samltoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/setting.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/templatecontent.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/template.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/templateversion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/token.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/userattribute.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/user.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/app.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/apprevision.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/basicauth.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/certificate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/dockercredential.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/namespacedbasicauth.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/namespacedcertificate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/namespaceddockercredential.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/namespacedserviceaccounttoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/namespacedsshauth.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/pipelineexecution.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/pipeline.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/pipelinesetting.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/serviceaccounttoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/sourcecodecredential.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/sourcecodeproviderconfig.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/sourcecodeprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/sourcecoderepository.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/sshauth.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/workload.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/provisioning.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/provisioning.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/provisioning.cattle.io/v1/cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/provisioning.cattle.io/v1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/custommachine.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/etcdsnapshot.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/rkebootstrap.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/rkebootstraptemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/rkecluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/rkecontrolplane.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/ui.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/ui.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/ui.cattle.io/v1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/ui.cattle.io/v1/navlink.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/upgrade.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/upgrade.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/upgrade.cattle.io/v1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/upgrade.cattle.io/v1/plan.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/settings/setting.go+1 1 modified
    @@ -85,7 +85,7 @@ var (
 	WhitelistDomain                     = NewSetting("whitelist-domain", "forums.rancher.com")
 	WhitelistEnvironmentVars            = NewSetting("whitelist-envvars", "HTTP_PROXY,HTTPS_PROXY,NO_PROXY")
 	AuthUserInfoResyncCron              = NewSetting("auth-user-info-resync-cron", "0 0 * * *")
-	APIUIVersion                        = NewSetting("api-ui-version", "1.1.10")              // Please update the CATTLE_API_UI_VERSION in package/Dockerfile when updating the version here.
+	APIUIVersion                        = NewSetting("api-ui-version", "1.1.11")              // Please update the CATTLE_API_UI_VERSION in package/Dockerfile when updating the version here.
 	RotateCertsIfExpiringInDays         = NewSetting("rotate-certs-if-expiring-in-days", "7") // 7 days
 	ClusterTemplateEnforcement          = NewSetting("cluster-template-enforcement", "false")
 	InitialDockerRootDir                = NewSetting("initial-docker-root-dir", "/var/lib/docker")
  • tests/framework/clients/rancher/generated/management/v3/zz_generated_aci_network_provider.go+209 149 modified
    @@ -1,156 +1,216 @@
 package client
 
 const (
-	AciNetworkProviderType                                   = "aciNetworkProvider"
-	AciNetworkProviderFieldAEP                               = "aep"
-	AciNetworkProviderFieldApicHosts                         = "apicHosts"
-	AciNetworkProviderFieldApicRefreshTickerAdjust           = "apicRefreshTickerAdjust"
-	AciNetworkProviderFieldApicRefreshTime                   = "apicRefreshTime"
-	AciNetworkProviderFieldApicSubscriptionDelay             = "apicSubscriptionDelay"
-	AciNetworkProviderFieldApicUserCrt                       = "apicUserCrt"
-	AciNetworkProviderFieldApicUserKey                       = "apicUserKey"
-	AciNetworkProviderFieldApicUserName                      = "apicUserName"
-	AciNetworkProviderFieldCApic                             = "capic"
-	AciNetworkProviderFieldControllerLogLevel                = "controllerLogLevel"
-	AciNetworkProviderFieldDisablePeriodicSnatGlobalInfoSync = "disablePeriodicSnatGlobalInfoSync"
-	AciNetworkProviderFieldDisableWaitForNetwork             = "disableWaitForNetwork"
-	AciNetworkProviderFieldDropLogEnable                     = "dropLogEnable"
-	AciNetworkProviderFieldDurationWaitForNetwork            = "durationWaitForNetwork"
-	AciNetworkProviderFieldDynamicExternalSubnet             = "externDynamic"
-	AciNetworkProviderFieldEnableEndpointSlice               = "enableEndpointSlice"
-	AciNetworkProviderFieldEncapType                         = "encapType"
-	AciNetworkProviderFieldEpRegistry                        = "epRegistry"
-	AciNetworkProviderFieldGbpPodSubnet                      = "gbpPodSubnet"
-	AciNetworkProviderFieldHostAgentLogLevel                 = "hostAgentLogLevel"
-	AciNetworkProviderFieldImagePullPolicy                   = "imagePullPolicy"
-	AciNetworkProviderFieldImagePullSecret                   = "imagePullSecret"
-	AciNetworkProviderFieldInfraVlan                         = "infraVlan"
-	AciNetworkProviderFieldInstallIstio                      = "installIstio"
-	AciNetworkProviderFieldIstioProfile                      = "istioProfile"
-	AciNetworkProviderFieldKafkaBrokers                      = "kafkaBrokers"
-	AciNetworkProviderFieldKafkaClientCrt                    = "kafkaClientCrt"
-	AciNetworkProviderFieldKafkaClientKey                    = "kafkaClientKey"
-	AciNetworkProviderFieldKubeAPIVlan                       = "kubeApiVlan"
-	AciNetworkProviderFieldL3Out                             = "l3out"
-	AciNetworkProviderFieldL3OutExternalNetworks             = "l3outExternalNetworks"
-	AciNetworkProviderFieldMTUHeadRoom                       = "mtuHeadRoom"
-	AciNetworkProviderFieldMaxNodesSvcGraph                  = "maxNodesSvcGraph"
-	AciNetworkProviderFieldMcastRangeEnd                     = "mcastRangeEnd"
-	AciNetworkProviderFieldMcastRangeStart                   = "mcastRangeStart"
-	AciNetworkProviderFieldMultusDisable                     = "multusDisable"
-	AciNetworkProviderFieldNoPriorityClass                   = "noPriorityClass"
-	AciNetworkProviderFieldNodePodIfEnable                   = "nodePodIfEnable"
-	AciNetworkProviderFieldNodeSubnet                        = "nodeSubnet"
-	AciNetworkProviderFieldOVSMemoryLimit                    = "ovsMemoryLimit"
-	AciNetworkProviderFieldOpflexAgentLogLevel               = "opflexLogLevel"
-	AciNetworkProviderFieldOpflexClientSSL                   = "opflexClientSsl"
-	AciNetworkProviderFieldOpflexDeviceDeleteTimeout         = "opflexDeviceDeleteTimeout"
-	AciNetworkProviderFieldOpflexMode                        = "opflexMode"
-	AciNetworkProviderFieldOpflexServerPort                  = "opflexServerPort"
-	AciNetworkProviderFieldOverlayVRFName                    = "overlayVrfName"
-	AciNetworkProviderFieldPBRTrackingNonSnat                = "pbrTrackingNonSnat"
-	AciNetworkProviderFieldPodSubnetChunkSize                = "podSubnetChunkSize"
-	AciNetworkProviderFieldRunGbpContainer                   = "runGbpContainer"
-	AciNetworkProviderFieldRunOpflexServerContainer          = "runOpflexServerContainer"
-	AciNetworkProviderFieldServiceGraphSubnet                = "nodeSvcSubnet"
-	AciNetworkProviderFieldServiceMonitorInterval            = "serviceMonitorInterval"
-	AciNetworkProviderFieldServiceVlan                       = "serviceVlan"
-	AciNetworkProviderFieldSnatContractScope                 = "snatContractScope"
-	AciNetworkProviderFieldSnatNamespace                     = "snatNamespace"
-	AciNetworkProviderFieldSnatPortRangeEnd                  = "snatPortRangeEnd"
-	AciNetworkProviderFieldSnatPortRangeStart                = "snatPortRangeStart"
-	AciNetworkProviderFieldSnatPortsPerNode                  = "snatPortsPerNode"
-	AciNetworkProviderFieldSriovEnable                       = "sriovEnable"
-	AciNetworkProviderFieldStaticExternalSubnet              = "externStatic"
-	AciNetworkProviderFieldSubnetDomainName                  = "subnetDomainName"
-	AciNetworkProviderFieldSystemIdentifier                  = "systemId"
-	AciNetworkProviderFieldTenant                            = "tenant"
-	AciNetworkProviderFieldToken                             = "token"
-	AciNetworkProviderFieldUseAciAnywhereCRD                 = "useAciAnywhereCrd"
-	AciNetworkProviderFieldUseAciCniPriorityClass            = "useAciCniPriorityClass"
-	AciNetworkProviderFieldUseClusterRole                    = "useClusterRole"
-	AciNetworkProviderFieldUseHostNetnsVolume                = "useHostNetnsVolume"
-	AciNetworkProviderFieldUseOpflexServerVolume             = "useOpflexServerVolume"
-	AciNetworkProviderFieldUsePrivilegedContainer            = "usePrivilegedContainer"
-	AciNetworkProviderFieldVRFName                           = "vrfName"
-	AciNetworkProviderFieldVRFTenant                         = "vrfTenant"
-	AciNetworkProviderFieldVmmController                     = "vmmController"
-	AciNetworkProviderFieldVmmDomain                         = "vmmDomain"
+	AciNetworkProviderType                                      = "aciNetworkProvider"
+	AciNetworkProviderFieldAEP                                  = "aep"
+	AciNetworkProviderFieldAccProvisionOperatorMemoryLimit      = "accProvisionOperatorMemoryLimit"
+	AciNetworkProviderFieldAccProvisionOperatorMemoryRequest    = "accProvisionOperatorMemoryRequest"
+	AciNetworkProviderFieldAciContainersControllerMemoryLimit   = "aciContainersControllerMemoryLimit"
+	AciNetworkProviderFieldAciContainersControllerMemoryRequest = "aciContainersControllerMemoryRequest"
+	AciNetworkProviderFieldAciContainersHostMemoryLimit         = "aciContainersHostMemoryLimit"
+	AciNetworkProviderFieldAciContainersHostMemoryRequest       = "aciContainersHostMemoryRequest"
+	AciNetworkProviderFieldAciContainersMemoryLimit             = "aciContainersMemoryLimit"
+	AciNetworkProviderFieldAciContainersMemoryRequest           = "aciContainersMemoryRequest"
+	AciNetworkProviderFieldAciContainersOperatorMemoryLimit     = "aciContainersOperatorMemoryLimit"
+	AciNetworkProviderFieldAciContainersOperatorMemoryRequest   = "aciContainersOperatorMemoryRequest"
+	AciNetworkProviderFieldAciMultipod                          = "aciMultipod"
+	AciNetworkProviderFieldAciMultipodUbuntu                    = "aciMultipodUbuntu"
+	AciNetworkProviderFieldAddExternalSubnetsToRdconfig         = "addExternalSubnetsToRdconfig"
+	AciNetworkProviderFieldApicHosts                            = "apicHosts"
+	AciNetworkProviderFieldApicRefreshTickerAdjust              = "apicRefreshTickerAdjust"
+	AciNetworkProviderFieldApicRefreshTime                      = "apicRefreshTime"
+	AciNetworkProviderFieldApicSubscriptionDelay                = "apicSubscriptionDelay"
+	AciNetworkProviderFieldApicUserCrt                          = "apicUserCrt"
+	AciNetworkProviderFieldApicUserKey                          = "apicUserKey"
+	AciNetworkProviderFieldApicUserName                         = "apicUserName"
+	AciNetworkProviderFieldCApic                                = "capic"
+	AciNetworkProviderFieldControllerLogLevel                   = "controllerLogLevel"
+	AciNetworkProviderFieldDhcpDelay                            = "dhcpDelay"
+	AciNetworkProviderFieldDhcpRenewMaxRetryCount               = "dhcpRenewMaxRetryCount"
+	AciNetworkProviderFieldDisablePeriodicSnatGlobalInfoSync    = "disablePeriodicSnatGlobalInfoSync"
+	AciNetworkProviderFieldDisableWaitForNetwork                = "disableWaitForNetwork"
+	AciNetworkProviderFieldDropLogEnable                        = "dropLogEnable"
+	AciNetworkProviderFieldDurationWaitForNetwork               = "durationWaitForNetwork"
+	AciNetworkProviderFieldDynamicExternalSubnet                = "externDynamic"
+	AciNetworkProviderFieldEnableEndpointSlice                  = "enableEndpointSlice"
+	AciNetworkProviderFieldEncapType                            = "encapType"
+	AciNetworkProviderFieldEpRegistry                           = "epRegistry"
+	AciNetworkProviderFieldGbpPodSubnet                         = "gbpPodSubnet"
+	AciNetworkProviderFieldHostAgentLogLevel                    = "hostAgentLogLevel"
+	AciNetworkProviderFieldHppOptimization                      = "hppOptimization"
+	AciNetworkProviderFieldImagePullPolicy                      = "imagePullPolicy"
+	AciNetworkProviderFieldImagePullSecret                      = "imagePullSecret"
+	AciNetworkProviderFieldInfraVlan                            = "infraVlan"
+	AciNetworkProviderFieldInstallIstio                         = "installIstio"
+	AciNetworkProviderFieldIstioProfile                         = "istioProfile"
+	AciNetworkProviderFieldKafkaBrokers                         = "kafkaBrokers"
+	AciNetworkProviderFieldKafkaClientCrt                       = "kafkaClientCrt"
+	AciNetworkProviderFieldKafkaClientKey                       = "kafkaClientKey"
+	AciNetworkProviderFieldKubeAPIVlan                          = "kubeApiVlan"
+	AciNetworkProviderFieldL3Out                                = "l3out"
+	AciNetworkProviderFieldL3OutExternalNetworks                = "l3outExternalNetworks"
+	AciNetworkProviderFieldMTUHeadRoom                          = "mtuHeadRoom"
+	AciNetworkProviderFieldMaxNodesSvcGraph                     = "maxNodesSvcGraph"
+	AciNetworkProviderFieldMcastDaemonMemoryLimit               = "mcastDaemonMemoryLimit"
+	AciNetworkProviderFieldMcastDaemonMemoryRequest             = "mcastDaemonMemoryRequest"
+	AciNetworkProviderFieldMcastRangeEnd                        = "mcastRangeEnd"
+	AciNetworkProviderFieldMcastRangeStart                      = "mcastRangeStart"
+	AciNetworkProviderFieldMultusDisable                        = "multusDisable"
+	AciNetworkProviderFieldNoPriorityClass                      = "noPriorityClass"
+	AciNetworkProviderFieldNoWaitForServiceEpReadiness          = "noWaitForServiceEpReadiness"
+	AciNetworkProviderFieldNodePodIfEnable                      = "nodePodIfEnable"
+	AciNetworkProviderFieldNodeSubnet                           = "nodeSubnet"
+	AciNetworkProviderFieldOVSMemoryLimit                       = "ovsMemoryLimit"
+	AciNetworkProviderFieldOVSMemoryRequest                     = "ovsMemoryRequest"
+	AciNetworkProviderFieldOpflexAgentLogLevel                  = "opflexLogLevel"
+	AciNetworkProviderFieldOpflexAgentMemoryLimit               = "opflexAgentMemoryLimit"
+	AciNetworkProviderFieldOpflexAgentMemoryRequest             = "opflexAgentMemoryRequest"
+	AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled    = "opflexAgentOpflexAsyncjsonEnabled"
+	AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled       = "opflexAgentOvsAsyncjsonEnabled"
+	AciNetworkProviderFieldOpflexAgentPolicyRetryDelayTimer     = "opflexAgentPolicyRetryDelayTimer"
+	AciNetworkProviderFieldOpflexClientSSL                      = "opflexClientSsl"
+	AciNetworkProviderFieldOpflexDeviceDeleteTimeout            = "opflexDeviceDeleteTimeout"
+	AciNetworkProviderFieldOpflexDeviceReconnectWaitTimeout     = "opflexDeviceReconnectWaitTimeout"
+	AciNetworkProviderFieldOpflexMode                           = "opflexMode"
+	AciNetworkProviderFieldOpflexServerPort                     = "opflexServerPort"
+	AciNetworkProviderFieldOverlayVRFName                       = "overlayVrfName"
+	AciNetworkProviderFieldPBRTrackingNonSnat                   = "pbrTrackingNonSnat"
+	AciNetworkProviderFieldPodSubnetChunkSize                   = "podSubnetChunkSize"
+	AciNetworkProviderFieldRunGbpContainer                      = "runGbpContainer"
+	AciNetworkProviderFieldRunOpflexServerContainer             = "runOpflexServerContainer"
+	AciNetworkProviderFieldServiceGraphEndpointAddDelay         = "serviceGraphEndpointAddDelay"
+	AciNetworkProviderFieldServiceGraphEndpointAddServices      = "serviceGraphEndpointAddServices"
+	AciNetworkProviderFieldServiceGraphSubnet                   = "nodeSvcSubnet"
+	AciNetworkProviderFieldServiceMonitorInterval               = "serviceMonitorInterval"
+	AciNetworkProviderFieldServiceVlan                          = "serviceVlan"
+	AciNetworkProviderFieldSleepTimeSnatGlobalInfoSync          = "sleepTimeSnatGlobalInfoSync"
+	AciNetworkProviderFieldSnatContractScope                    = "snatContractScope"
+	AciNetworkProviderFieldSnatNamespace                        = "snatNamespace"
+	AciNetworkProviderFieldSnatPortRangeEnd                     = "snatPortRangeEnd"
+	AciNetworkProviderFieldSnatPortRangeStart                   = "snatPortRangeStart"
+	AciNetworkProviderFieldSnatPortsPerNode                     = "snatPortsPerNode"
+	AciNetworkProviderFieldSriovEnable                          = "sriovEnable"
+	AciNetworkProviderFieldStaticExternalSubnet                 = "externStatic"
+	AciNetworkProviderFieldSubnetDomainName                     = "subnetDomainName"
+	AciNetworkProviderFieldSystemIdentifier                     = "systemId"
+	AciNetworkProviderFieldTenant                               = "tenant"
+	AciNetworkProviderFieldToken                                = "token"
+	AciNetworkProviderFieldUseAciAnywhereCRD                    = "useAciAnywhereCrd"
+	AciNetworkProviderFieldUseAciCniPriorityClass               = "useAciCniPriorityClass"
+	AciNetworkProviderFieldUseClusterRole                       = "useClusterRole"
+	AciNetworkProviderFieldUseHostNetnsVolume                   = "useHostNetnsVolume"
+	AciNetworkProviderFieldUseOpflexServerVolume                = "useOpflexServerVolume"
+	AciNetworkProviderFieldUsePrivilegedContainer               = "usePrivilegedContainer"
+	AciNetworkProviderFieldUseSystemNodePriorityClass           = "useSystemNodePriorityClass"
+	AciNetworkProviderFieldVRFName                              = "vrfName"
+	AciNetworkProviderFieldVRFTenant                            = "vrfTenant"
+	AciNetworkProviderFieldVmmController                        = "vmmController"
+	AciNetworkProviderFieldVmmDomain                            = "vmmDomain"
 )
 
 type AciNetworkProvider struct {
-	AEP                               string   `json:"aep,omitempty" yaml:"aep,omitempty"`
-	ApicHosts                         []string `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"`
-	ApicRefreshTickerAdjust           string   `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"`
-	ApicRefreshTime                   string   `json:"apicRefreshTime,omitempty" yaml:"apicRefreshTime,omitempty"`
-	ApicSubscriptionDelay             string   `json:"apicSubscriptionDelay,omitempty" yaml:"apicSubscriptionDelay,omitempty"`
-	ApicUserCrt                       string   `json:"apicUserCrt,omitempty" yaml:"apicUserCrt,omitempty"`
-	ApicUserKey                       string   `json:"apicUserKey,omitempty" yaml:"apicUserKey,omitempty"`
-	ApicUserName                      string   `json:"apicUserName,omitempty" yaml:"apicUserName,omitempty"`
-	CApic                             string   `json:"capic,omitempty" yaml:"capic,omitempty"`
-	ControllerLogLevel                string   `json:"controllerLogLevel,omitempty" yaml:"controllerLogLevel,omitempty"`
-	DisablePeriodicSnatGlobalInfoSync string   `json:"disablePeriodicSnatGlobalInfoSync,omitempty" yaml:"disablePeriodicSnatGlobalInfoSync,omitempty"`
-	DisableWaitForNetwork             string   `json:"disableWaitForNetwork,omitempty" yaml:"disableWaitForNetwork,omitempty"`
-	DropLogEnable                     string   `json:"dropLogEnable,omitempty" yaml:"dropLogEnable,omitempty"`
-	DurationWaitForNetwork            string   `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"`
-	DynamicExternalSubnet             string   `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"`
-	EnableEndpointSlice               string   `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"`
-	EncapType                         string   `json:"encapType,omitempty" yaml:"encapType,omitempty"`
-	EpRegistry                        string   `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"`
-	GbpPodSubnet                      string   `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"`
-	HostAgentLogLevel                 string   `json:"hostAgentLogLevel,omitempty" yaml:"hostAgentLogLevel,omitempty"`
-	ImagePullPolicy                   string   `json:"imagePullPolicy,omitempty" yaml:"imagePullPolicy,omitempty"`
-	ImagePullSecret                   string   `json:"imagePullSecret,omitempty" yaml:"imagePullSecret,omitempty"`
-	InfraVlan                         string   `json:"infraVlan,omitempty" yaml:"infraVlan,omitempty"`
-	InstallIstio                      string   `json:"installIstio,omitempty" yaml:"installIstio,omitempty"`
-	IstioProfile                      string   `json:"istioProfile,omitempty" yaml:"istioProfile,omitempty"`
-	KafkaBrokers                      []string `json:"kafkaBrokers,omitempty" yaml:"kafkaBrokers,omitempty"`
-	KafkaClientCrt                    string   `json:"kafkaClientCrt,omitempty" yaml:"kafkaClientCrt,omitempty"`
-	KafkaClientKey                    string   `json:"kafkaClientKey,omitempty" yaml:"kafkaClientKey,omitempty"`
-	KubeAPIVlan                       string   `json:"kubeApiVlan,omitempty" yaml:"kubeApiVlan,omitempty"`
-	L3Out                             string   `json:"l3out,omitempty" yaml:"l3out,omitempty"`
-	L3OutExternalNetworks             []string `json:"l3outExternalNetworks,omitempty" yaml:"l3outExternalNetworks,omitempty"`
-	MTUHeadRoom                       string   `json:"mtuHeadRoom,omitempty" yaml:"mtuHeadRoom,omitempty"`
-	MaxNodesSvcGraph                  string   `json:"maxNodesSvcGraph,omitempty" yaml:"maxNodesSvcGraph,omitempty"`
-	McastRangeEnd                     string   `json:"mcastRangeEnd,omitempty" yaml:"mcastRangeEnd,omitempty"`
-	McastRangeStart                   string   `json:"mcastRangeStart,omitempty" yaml:"mcastRangeStart,omitempty"`
-	MultusDisable                     string   `json:"multusDisable,omitempty" yaml:"multusDisable,omitempty"`
-	NoPriorityClass                   string   `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"`
-	NodePodIfEnable                   string   `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"`
-	NodeSubnet                        string   `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"`
-	OVSMemoryLimit                    string   `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"`
-	OpflexAgentLogLevel               string   `json:"opflexLogLevel,omitempty" yaml:"opflexLogLevel,omitempty"`
-	OpflexClientSSL                   string   `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"`
-	OpflexDeviceDeleteTimeout         string   `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"`
-	OpflexMode                        string   `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"`
-	OpflexServerPort                  string   `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"`
-	OverlayVRFName                    string   `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"`
-	PBRTrackingNonSnat                string   `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"`
-	PodSubnetChunkSize                string   `json:"podSubnetChunkSize,omitempty" yaml:"podSubnetChunkSize,omitempty"`
-	RunGbpContainer                   string   `json:"runGbpContainer,omitempty" yaml:"runGbpContainer,omitempty"`
-	RunOpflexServerContainer          string   `json:"runOpflexServerContainer,omitempty" yaml:"runOpflexServerContainer,omitempty"`
-	ServiceGraphSubnet                string   `json:"nodeSvcSubnet,omitempty" yaml:"nodeSvcSubnet,omitempty"`
-	ServiceMonitorInterval            string   `json:"serviceMonitorInterval,omitempty" yaml:"serviceMonitorInterval,omitempty"`
-	ServiceVlan                       string   `json:"serviceVlan,omitempty" yaml:"serviceVlan,omitempty"`
-	SnatContractScope                 string   `json:"snatContractScope,omitempty" yaml:"snatContractScope,omitempty"`
-	SnatNamespace                     string   `json:"snatNamespace,omitempty" yaml:"snatNamespace,omitempty"`
-	SnatPortRangeEnd                  string   `json:"snatPortRangeEnd,omitempty" yaml:"snatPortRangeEnd,omitempty"`
-	SnatPortRangeStart                string   `json:"snatPortRangeStart,omitempty" yaml:"snatPortRangeStart,omitempty"`
-	SnatPortsPerNode                  string   `json:"snatPortsPerNode,omitempty" yaml:"snatPortsPerNode,omitempty"`
-	SriovEnable                       string   `json:"sriovEnable,omitempty" yaml:"sriovEnable,omitempty"`
-	StaticExternalSubnet              string   `json:"externStatic,omitempty" yaml:"externStatic,omitempty"`
-	SubnetDomainName                  string   `json:"subnetDomainName,omitempty" yaml:"subnetDomainName,omitempty"`
-	SystemIdentifier                  string   `json:"systemId,omitempty" yaml:"systemId,omitempty"`
-	Tenant                            string   `json:"tenant,omitempty" yaml:"tenant,omitempty"`
-	Token                             string   `json:"token,omitempty" yaml:"token,omitempty"`
-	UseAciAnywhereCRD                 string   `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"`
-	UseAciCniPriorityClass            string   `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"`
-	UseClusterRole                    string   `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"`
-	UseHostNetnsVolume                string   `json:"useHostNetnsVolume,omitempty" yaml:"useHostNetnsVolume,omitempty"`
-	UseOpflexServerVolume             string   `json:"useOpflexServerVolume,omitempty" yaml:"useOpflexServerVolume,omitempty"`
-	UsePrivilegedContainer            string   `json:"usePrivilegedContainer,omitempty" yaml:"usePrivilegedContainer,omitempty"`
-	VRFName                           string   `json:"vrfName,omitempty" yaml:"vrfName,omitempty"`
-	VRFTenant                         string   `json:"vrfTenant,omitempty" yaml:"vrfTenant,omitempty"`
-	VmmController                     string   `json:"vmmController,omitempty" yaml:"vmmController,omitempty"`
-	VmmDomain                         string   `json:"vmmDomain,omitempty" yaml:"vmmDomain,omitempty"`
+	AEP                                  string              `json:"aep,omitempty" yaml:"aep,omitempty"`
+	AccProvisionOperatorMemoryLimit      string              `json:"accProvisionOperatorMemoryLimit,omitempty" yaml:"accProvisionOperatorMemoryLimit,omitempty"`
+	AccProvisionOperatorMemoryRequest    string              `json:"accProvisionOperatorMemoryRequest,omitempty" yaml:"accProvisionOperatorMemoryRequest,omitempty"`
+	AciContainersControllerMemoryLimit   string              `json:"aciContainersControllerMemoryLimit,omitempty" yaml:"aciContainersControllerMemoryLimit,omitempty"`
+	AciContainersControllerMemoryRequest string              `json:"aciContainersControllerMemoryRequest,omitempty" yaml:"aciContainersControllerMemoryRequest,omitempty"`
+	AciContainersHostMemoryLimit         string              `json:"aciContainersHostMemoryLimit,omitempty" yaml:"aciContainersHostMemoryLimit,omitempty"`
+	AciContainersHostMemoryRequest       string              `json:"aciContainersHostMemoryRequest,omitempty" yaml:"aciContainersHostMemoryRequest,omitempty"`
+	AciContainersMemoryLimit             string              `json:"aciContainersMemoryLimit,omitempty" yaml:"aciContainersMemoryLimit,omitempty"`
+	AciContainersMemoryRequest           string              `json:"aciContainersMemoryRequest,omitempty" yaml:"aciContainersMemoryRequest,omitempty"`
+	AciContainersOperatorMemoryLimit     string              `json:"aciContainersOperatorMemoryLimit,omitempty" yaml:"aciContainersOperatorMemoryLimit,omitempty"`
+	AciContainersOperatorMemoryRequest   string              `json:"aciContainersOperatorMemoryRequest,omitempty" yaml:"aciContainersOperatorMemoryRequest,omitempty"`
+	AciMultipod                          string              `json:"aciMultipod,omitempty" yaml:"aciMultipod,omitempty"`
+	AciMultipodUbuntu                    string              `json:"aciMultipodUbuntu,omitempty" yaml:"aciMultipodUbuntu,omitempty"`
+	AddExternalSubnetsToRdconfig         string              `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"`
+	ApicHosts                            []string            `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"`
+	ApicRefreshTickerAdjust              string              `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"`
+	ApicRefreshTime                      string              `json:"apicRefreshTime,omitempty" yaml:"apicRefreshTime,omitempty"`
+	ApicSubscriptionDelay                string              `json:"apicSubscriptionDelay,omitempty" yaml:"apicSubscriptionDelay,omitempty"`
+	ApicUserCrt                          string              `json:"apicUserCrt,omitempty" yaml:"apicUserCrt,omitempty"`
+	ApicUserKey                          string              `json:"apicUserKey,omitempty" yaml:"apicUserKey,omitempty"`
+	ApicUserName                         string              `json:"apicUserName,omitempty" yaml:"apicUserName,omitempty"`
+	CApic                                string              `json:"capic,omitempty" yaml:"capic,omitempty"`
+	ControllerLogLevel                   string              `json:"controllerLogLevel,omitempty" yaml:"controllerLogLevel,omitempty"`
+	DhcpDelay                            string              `json:"dhcpDelay,omitempty" yaml:"dhcpDelay,omitempty"`
+	DhcpRenewMaxRetryCount               string              `json:"dhcpRenewMaxRetryCount,omitempty" yaml:"dhcpRenewMaxRetryCount,omitempty"`
+	DisablePeriodicSnatGlobalInfoSync    string              `json:"disablePeriodicSnatGlobalInfoSync,omitempty" yaml:"disablePeriodicSnatGlobalInfoSync,omitempty"`
+	DisableWaitForNetwork                string              `json:"disableWaitForNetwork,omitempty" yaml:"disableWaitForNetwork,omitempty"`
+	DropLogEnable                        string              `json:"dropLogEnable,omitempty" yaml:"dropLogEnable,omitempty"`
+	DurationWaitForNetwork               string              `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"`
+	DynamicExternalSubnet                string              `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"`
+	EnableEndpointSlice                  string              `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"`
+	EncapType                            string              `json:"encapType,omitempty" yaml:"encapType,omitempty"`
+	EpRegistry                           string              `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"`
+	GbpPodSubnet                         string              `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"`
+	HostAgentLogLevel                    string              `json:"hostAgentLogLevel,omitempty" yaml:"hostAgentLogLevel,omitempty"`
+	HppOptimization                      string              `json:"hppOptimization,omitempty" yaml:"hppOptimization,omitempty"`
+	ImagePullPolicy                      string              `json:"imagePullPolicy,omitempty" yaml:"imagePullPolicy,omitempty"`
+	ImagePullSecret                      string              `json:"imagePullSecret,omitempty" yaml:"imagePullSecret,omitempty"`
+	InfraVlan                            string              `json:"infraVlan,omitempty" yaml:"infraVlan,omitempty"`
+	InstallIstio                         string              `json:"installIstio,omitempty" yaml:"installIstio,omitempty"`
+	IstioProfile                         string              `json:"istioProfile,omitempty" yaml:"istioProfile,omitempty"`
+	KafkaBrokers                         []string            `json:"kafkaBrokers,omitempty" yaml:"kafkaBrokers,omitempty"`
+	KafkaClientCrt                       string              `json:"kafkaClientCrt,omitempty" yaml:"kafkaClientCrt,omitempty"`
+	KafkaClientKey                       string              `json:"kafkaClientKey,omitempty" yaml:"kafkaClientKey,omitempty"`
+	KubeAPIVlan                          string              `json:"kubeApiVlan,omitempty" yaml:"kubeApiVlan,omitempty"`
+	L3Out                                string              `json:"l3out,omitempty" yaml:"l3out,omitempty"`
+	L3OutExternalNetworks                []string            `json:"l3outExternalNetworks,omitempty" yaml:"l3outExternalNetworks,omitempty"`
+	MTUHeadRoom                          string              `json:"mtuHeadRoom,omitempty" yaml:"mtuHeadRoom,omitempty"`
+	MaxNodesSvcGraph                     string              `json:"maxNodesSvcGraph,omitempty" yaml:"maxNodesSvcGraph,omitempty"`
+	McastDaemonMemoryLimit               string              `json:"mcastDaemonMemoryLimit,omitempty" yaml:"mcastDaemonMemoryLimit,omitempty"`
+	McastDaemonMemoryRequest             string              `json:"mcastDaemonMemoryRequest,omitempty" yaml:"mcastDaemonMemoryRequest,omitempty"`
+	McastRangeEnd                        string              `json:"mcastRangeEnd,omitempty" yaml:"mcastRangeEnd,omitempty"`
+	McastRangeStart                      string              `json:"mcastRangeStart,omitempty" yaml:"mcastRangeStart,omitempty"`
+	MultusDisable                        string              `json:"multusDisable,omitempty" yaml:"multusDisable,omitempty"`
+	NoPriorityClass                      string              `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"`
+	NoWaitForServiceEpReadiness          string              `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"`
+	NodePodIfEnable                      string              `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"`
+	NodeSubnet                           string              `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"`
+	OVSMemoryLimit                       string              `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"`
+	OVSMemoryRequest                     string              `json:"ovsMemoryRequest,omitempty" yaml:"ovsMemoryRequest,omitempty"`
+	OpflexAgentLogLevel                  string              `json:"opflexLogLevel,omitempty" yaml:"opflexLogLevel,omitempty"`
+	OpflexAgentMemoryLimit               string              `json:"opflexAgentMemoryLimit,omitempty" yaml:"opflexAgentMemoryLimit,omitempty"`
+	OpflexAgentMemoryRequest             string              `json:"opflexAgentMemoryRequest,omitempty" yaml:"opflexAgentMemoryRequest,omitempty"`
+	OpflexAgentOpflexAsyncjsonEnabled    string              `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"`
+	OpflexAgentOvsAsyncjsonEnabled       string              `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"`
+	OpflexAgentPolicyRetryDelayTimer     string              `json:"opflexAgentPolicyRetryDelayTimer,omitempty" yaml:"opflexAgentPolicyRetryDelayTimer,omitempty"`
+	OpflexClientSSL                      string              `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"`
+	OpflexDeviceDeleteTimeout            string              `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"`
+	OpflexDeviceReconnectWaitTimeout     string              `json:"opflexDeviceReconnectWaitTimeout,omitempty" yaml:"opflexDeviceReconnectWaitTimeout,omitempty"`
+	OpflexMode                           string              `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"`
+	OpflexServerPort                     string              `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"`
+	OverlayVRFName                       string              `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"`
+	PBRTrackingNonSnat                   string              `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"`
+	PodSubnetChunkSize                   string              `json:"podSubnetChunkSize,omitempty" yaml:"podSubnetChunkSize,omitempty"`
+	RunGbpContainer                      string              `json:"runGbpContainer,omitempty" yaml:"runGbpContainer,omitempty"`
+	RunOpflexServerContainer             string              `json:"runOpflexServerContainer,omitempty" yaml:"runOpflexServerContainer,omitempty"`
+	ServiceGraphEndpointAddDelay         string              `json:"serviceGraphEndpointAddDelay,omitempty" yaml:"serviceGraphEndpointAddDelay,omitempty"`
+	ServiceGraphEndpointAddServices      []map[string]string `json:"serviceGraphEndpointAddServices,omitempty" yaml:"serviceGraphEndpointAddServices,omitempty"`
+	ServiceGraphSubnet                   string              `json:"nodeSvcSubnet,omitempty" yaml:"nodeSvcSubnet,omitempty"`
+	ServiceMonitorInterval               string              `json:"serviceMonitorInterval,omitempty" yaml:"serviceMonitorInterval,omitempty"`
+	ServiceVlan                          string              `json:"serviceVlan,omitempty" yaml:"serviceVlan,omitempty"`
+	SleepTimeSnatGlobalInfoSync          string              `json:"sleepTimeSnatGlobalInfoSync,omitempty" yaml:"sleepTimeSnatGlobalInfoSync,omitempty"`
+	SnatContractScope                    string              `json:"snatContractScope,omitempty" yaml:"snatContractScope,omitempty"`
+	SnatNamespace                        string              `json:"snatNamespace,omitempty" yaml:"snatNamespace,omitempty"`
+	SnatPortRangeEnd                     string              `json:"snatPortRangeEnd,omitempty" yaml:"snatPortRangeEnd,omitempty"`
+	SnatPortRangeStart                   string              `json:"snatPortRangeStart,omitempty" yaml:"snatPortRangeStart,omitempty"`
+	SnatPortsPerNode                     string              `json:"snatPortsPerNode,omitempty" yaml:"snatPortsPerNode,omitempty"`
+	SriovEnable                          string              `json:"sriovEnable,omitempty" yaml:"sriovEnable,omitempty"`
+	StaticExternalSubnet                 string              `json:"externStatic,omitempty" yaml:"externStatic,omitempty"`
+	SubnetDomainName                     string              `json:"subnetDomainName,omitempty" yaml:"subnetDomainName,omitempty"`
+	SystemIdentifier                     string              `json:"systemId,omitempty" yaml:"systemId,omitempty"`
+	Tenant                               string              `json:"tenant,omitempty" yaml:"tenant,omitempty"`
+	Token                                string              `json:"token,omitempty" yaml:"token,omitempty"`
+	UseAciAnywhereCRD                    string              `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"`
+	UseAciCniPriorityClass               string              `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"`
+	UseClusterRole                       string              `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"`
+	UseHostNetnsVolume                   string              `json:"useHostNetnsVolume,omitempty" yaml:"useHostNetnsVolume,omitempty"`
+	UseOpflexServerVolume                string              `json:"useOpflexServerVolume,omitempty" yaml:"useOpflexServerVolume,omitempty"`
+	UsePrivilegedContainer               string              `json:"usePrivilegedContainer,omitempty" yaml:"usePrivilegedContainer,omitempty"`
+	UseSystemNodePriorityClass           string              `json:"useSystemNodePriorityClass,omitempty" yaml:"useSystemNodePriorityClass,omitempty"`
+	VRFName                              string              `json:"vrfName,omitempty" yaml:"vrfName,omitempty"`
+	VRFTenant                            string              `json:"vrfTenant,omitempty" yaml:"vrfTenant,omitempty"`
+	VmmController                        string              `json:"vmmController,omitempty" yaml:"vmmController,omitempty"`
+	VmmDomain                            string              `json:"vmmDomain,omitempty" yaml:"vmmDomain,omitempty"`
 }
  • tests/framework/clients/rancher/generated/management/v3/zz_generated_azure_cloud_provider.go+2 0 modified
    @@ -26,6 +26,7 @@ const (
 	AzureCloudProviderFieldSecurityGroupName            = "securityGroupName"
 	AzureCloudProviderFieldSubnetName                   = "subnetName"
 	AzureCloudProviderFieldSubscriptionID               = "subscriptionId"
+	AzureCloudProviderFieldTags                         = "tags"
 	AzureCloudProviderFieldTenantID                     = "tenantId"
 	AzureCloudProviderFieldUseInstanceMetadata          = "useInstanceMetadata"
 	AzureCloudProviderFieldUseManagedIdentityExtension  = "useManagedIdentityExtension"
@@ -60,6 +61,7 @@ type AzureCloudProvider struct {
 	SecurityGroupName            string `json:"securityGroupName,omitempty" yaml:"securityGroupName,omitempty"`
 	SubnetName                   string `json:"subnetName,omitempty" yaml:"subnetName,omitempty"`
 	SubscriptionID               string `json:"subscriptionId,omitempty" yaml:"subscriptionId,omitempty"`
+	Tags                         string `json:"tags,omitempty" yaml:"tags,omitempty"`
 	TenantID                     string `json:"tenantId,omitempty" yaml:"tenantId,omitempty"`
 	UseInstanceMetadata          bool   `json:"useInstanceMetadata,omitempty" yaml:"useInstanceMetadata,omitempty"`
 	UseManagedIdentityExtension  bool   `json:"useManagedIdentityExtension,omitempty" yaml:"useManagedIdentityExtension,omitempty"`
  • tests/framework/clients/rancher/generated/management/v3/zz_generated_cloud_provider.go+17 15 modified
    @@ -1,22 +1,24 @@
 package client
 
 const (
-	CloudProviderType                        = "cloudProvider"
-	CloudProviderFieldAWSCloudProvider       = "awsCloudProvider"
-	CloudProviderFieldAzureCloudProvider     = "azureCloudProvider"
-	CloudProviderFieldCustomCloudProvider    = "customCloudProvider"
-	CloudProviderFieldHarvesterCloudProvider = "harvesterCloudProvider"
-	CloudProviderFieldName                   = "name"
-	CloudProviderFieldOpenstackCloudProvider = "openstackCloudProvider"
-	CloudProviderFieldVsphereCloudProvider   = "vsphereCloudProvider"
+	CloudProviderType                             = "cloudProvider"
+	CloudProviderFieldAWSCloudProvider            = "awsCloudProvider"
+	CloudProviderFieldAzureCloudProvider          = "azureCloudProvider"
+	CloudProviderFieldCustomCloudProvider         = "customCloudProvider"
+	CloudProviderFieldHarvesterCloudProvider      = "harvesterCloudProvider"
+	CloudProviderFieldName                        = "name"
+	CloudProviderFieldOpenstackCloudProvider      = "openstackCloudProvider"
+	CloudProviderFieldUseInstanceMetadataHostname = "useInstanceMetadataHostname"
+	CloudProviderFieldVsphereCloudProvider        = "vsphereCloudProvider"
 )
 
 type CloudProvider struct {
-	AWSCloudProvider       *AWSCloudProvider       `json:"awsCloudProvider,omitempty" yaml:"awsCloudProvider,omitempty"`
-	AzureCloudProvider     *AzureCloudProvider     `json:"azureCloudProvider,omitempty" yaml:"azureCloudProvider,omitempty"`
-	CustomCloudProvider    string                  `json:"customCloudProvider,omitempty" yaml:"customCloudProvider,omitempty"`
-	HarvesterCloudProvider *HarvesterCloudProvider `json:"harvesterCloudProvider,omitempty" yaml:"harvesterCloudProvider,omitempty"`
-	Name                   string                  `json:"name,omitempty" yaml:"name,omitempty"`
-	OpenstackCloudProvider *OpenstackCloudProvider `json:"openstackCloudProvider,omitempty" yaml:"openstackCloudProvider,omitempty"`
-	VsphereCloudProvider   *VsphereCloudProvider   `json:"vsphereCloudProvider,omitempty" yaml:"vsphereCloudProvider,omitempty"`
+	AWSCloudProvider            *AWSCloudProvider       `json:"awsCloudProvider,omitempty" yaml:"awsCloudProvider,omitempty"`
+	AzureCloudProvider          *AzureCloudProvider     `json:"azureCloudProvider,omitempty" yaml:"azureCloudProvider,omitempty"`
+	CustomCloudProvider         string                  `json:"customCloudProvider,omitempty" yaml:"customCloudProvider,omitempty"`
+	HarvesterCloudProvider      *HarvesterCloudProvider `json:"harvesterCloudProvider,omitempty" yaml:"harvesterCloudProvider,omitempty"`
+	Name                        string                  `json:"name,omitempty" yaml:"name,omitempty"`
+	OpenstackCloudProvider      *OpenstackCloudProvider `json:"openstackCloudProvider,omitempty" yaml:"openstackCloudProvider,omitempty"`
+	UseInstanceMetadataHostname *bool                   `json:"useInstanceMetadataHostname,omitempty" yaml:"useInstanceMetadataHostname,omitempty"`
+	VsphereCloudProvider        *VsphereCloudProvider   `json:"vsphereCloudProvider,omitempty" yaml:"vsphereCloudProvider,omitempty"`
 }
  • tests/framework/clients/rancher/generated/management/v3/zz_generated_cluster_secrets.go+33 19 modified
    @@ -1,26 +1,40 @@
 package client
 
 const (
-	ClusterSecretsType                       = "clusterSecrets"
-	ClusterSecretsFieldAADClientCertSecret   = "aadClientCertSecret"
-	ClusterSecretsFieldAADClientSecret       = "aadClientSecret"
-	ClusterSecretsFieldOpenStackSecret       = "openStackSecret"
-	ClusterSecretsFieldPrivateRegistrySecret = "privateRegistrySecret"
-	ClusterSecretsFieldPrivateRegistryURL    = "privateRegistryURL"
-	ClusterSecretsFieldS3CredentialSecret    = "s3CredentialSecret"
-	ClusterSecretsFieldVirtualCenterSecret   = "virtualCenterSecret"
-	ClusterSecretsFieldVsphereSecret         = "vsphereSecret"
-	ClusterSecretsFieldWeavePasswordSecret   = "weavePasswordSecret"
+	ClusterSecretsType                                  = "clusterSecrets"
+	ClusterSecretsFieldAADClientCertSecret              = "aadClientCertSecret"
+	ClusterSecretsFieldAADClientSecret                  = "aadClientSecret"
+	ClusterSecretsFieldACIAPICUserKeySecret             = "aciAPICUserKeySecret"
+	ClusterSecretsFieldACIKafkaClientKeySecret          = "aciKafkaClientKeySecret"
+	ClusterSecretsFieldACITokenSecret                   = "aciTokenSecret"
+	ClusterSecretsFieldBastionHostSSHKeySecret          = "bastionHostSSHKeySecret"
+	ClusterSecretsFieldKubeletExtraEnvSecret            = "kubeletExtraEnvSecret"
+	ClusterSecretsFieldOpenStackSecret                  = "openStackSecret"
+	ClusterSecretsFieldPrivateRegistryECRSecret         = "privateRegistryECRSecret"
+	ClusterSecretsFieldPrivateRegistrySecret            = "privateRegistrySecret"
+	ClusterSecretsFieldPrivateRegistryURL               = "privateRegistryURL"
+	ClusterSecretsFieldS3CredentialSecret               = "s3CredentialSecret"
+	ClusterSecretsFieldSecretsEncryptionProvidersSecret = "secretsEncryptionProvidersSecret"
+	ClusterSecretsFieldVirtualCenterSecret              = "virtualCenterSecret"
+	ClusterSecretsFieldVsphereSecret                    = "vsphereSecret"
+	ClusterSecretsFieldWeavePasswordSecret              = "weavePasswordSecret"
 )
 
 type ClusterSecrets struct {
-	AADClientCertSecret   string `json:"aadClientCertSecret,omitempty" yaml:"aadClientCertSecret,omitempty"`
-	AADClientSecret       string `json:"aadClientSecret,omitempty" yaml:"aadClientSecret,omitempty"`
-	OpenStackSecret       string `json:"openStackSecret,omitempty" yaml:"openStackSecret,omitempty"`
-	PrivateRegistrySecret string `json:"privateRegistrySecret,omitempty" yaml:"privateRegistrySecret,omitempty"`
-	PrivateRegistryURL    string `json:"privateRegistryURL,omitempty" yaml:"privateRegistryURL,omitempty"`
-	S3CredentialSecret    string `json:"s3CredentialSecret,omitempty" yaml:"s3CredentialSecret,omitempty"`
-	VirtualCenterSecret   string `json:"virtualCenterSecret,omitempty" yaml:"virtualCenterSecret,omitempty"`
-	VsphereSecret         string `json:"vsphereSecret,omitempty" yaml:"vsphereSecret,omitempty"`
-	WeavePasswordSecret   string `json:"weavePasswordSecret,omitempty" yaml:"weavePasswordSecret,omitempty"`
+	AADClientCertSecret              string `json:"aadClientCertSecret,omitempty" yaml:"aadClientCertSecret,omitempty"`
+	AADClientSecret                  string `json:"aadClientSecret,omitempty" yaml:"aadClientSecret,omitempty"`
+	ACIAPICUserKeySecret             string `json:"aciAPICUserKeySecret,omitempty" yaml:"aciAPICUserKeySecret,omitempty"`
+	ACIKafkaClientKeySecret          string `json:"aciKafkaClientKeySecret,omitempty" yaml:"aciKafkaClientKeySecret,omitempty"`
+	ACITokenSecret                   string `json:"aciTokenSecret,omitempty" yaml:"aciTokenSecret,omitempty"`
+	BastionHostSSHKeySecret          string `json:"bastionHostSSHKeySecret,omitempty" yaml:"bastionHostSSHKeySecret,omitempty"`
+	KubeletExtraEnvSecret            string `json:"kubeletExtraEnvSecret,omitempty" yaml:"kubeletExtraEnvSecret,omitempty"`
+	OpenStackSecret                  string `json:"openStackSecret,omitempty" yaml:"openStackSecret,omitempty"`
+	PrivateRegistryECRSecret         string `json:"privateRegistryECRSecret,omitempty" yaml:"privateRegistryECRSecret,omitempty"`
+	PrivateRegistrySecret            string `json:"privateRegistrySecret,omitempty" yaml:"privateRegistrySecret,omitempty"`
+	PrivateRegistryURL               string `json:"privateRegistryURL,omitempty" yaml:"privateRegistryURL,omitempty"`
+	S3CredentialSecret               string `json:"s3CredentialSecret,omitempty" yaml:"s3CredentialSecret,omitempty"`
+	SecretsEncryptionProvidersSecret string `json:"secretsEncryptionProvidersSecret,omitempty" yaml:"secretsEncryptionProvidersSecret,omitempty"`
+	VirtualCenterSecret              string `json:"virtualCenterSecret,omitempty" yaml:"virtualCenterSecret,omitempty"`
+	VsphereSecret                    string `json:"vsphereSecret,omitempty" yaml:"vsphereSecret,omitempty"`
+	WeavePasswordSecret              string `json:"weavePasswordSecret,omitempty" yaml:"weavePasswordSecret,omitempty"`
 }
  • tests/framework/clients/rancher/generated/management/v3/zz_generated_cluster_template_revision.go+63 49 modified
    @@ -5,59 +5,73 @@ import (
 )
 
 const (
-	ClusterTemplateRevisionType                       = "clusterTemplateRevision"
-	ClusterTemplateRevisionFieldAADClientCertSecret   = "aadClientCertSecret"
-	ClusterTemplateRevisionFieldAADClientSecret       = "aadClientSecret"
-	ClusterTemplateRevisionFieldAnnotations           = "annotations"
-	ClusterTemplateRevisionFieldClusterConfig         = "clusterConfig"
-	ClusterTemplateRevisionFieldClusterTemplateID     = "clusterTemplateId"
-	ClusterTemplateRevisionFieldConditions            = "conditions"
-	ClusterTemplateRevisionFieldCreated               = "created"
-	ClusterTemplateRevisionFieldCreatorID             = "creatorId"
-	ClusterTemplateRevisionFieldEnabled               = "enabled"
-	ClusterTemplateRevisionFieldLabels                = "labels"
-	ClusterTemplateRevisionFieldName                  = "name"
-	ClusterTemplateRevisionFieldOpenStackSecret       = "openStackSecret"
-	ClusterTemplateRevisionFieldOwnerReferences       = "ownerReferences"
-	ClusterTemplateRevisionFieldPrivateRegistrySecret = "privateRegistrySecret"
-	ClusterTemplateRevisionFieldQuestions             = "questions"
-	ClusterTemplateRevisionFieldRemoved               = "removed"
-	ClusterTemplateRevisionFieldS3CredentialSecret    = "s3CredentialSecret"
-	ClusterTemplateRevisionFieldState                 = "state"
-	ClusterTemplateRevisionFieldTransitioning         = "transitioning"
-	ClusterTemplateRevisionFieldTransitioningMessage  = "transitioningMessage"
-	ClusterTemplateRevisionFieldUUID                  = "uuid"
-	ClusterTemplateRevisionFieldVirtualCenterSecret   = "virtualCenterSecret"
-	ClusterTemplateRevisionFieldVsphereSecret         = "vsphereSecret"
-	ClusterTemplateRevisionFieldWeavePasswordSecret   = "weavePasswordSecret"
+	ClusterTemplateRevisionType                                  = "clusterTemplateRevision"
+	ClusterTemplateRevisionFieldAADClientCertSecret              = "aadClientCertSecret"
+	ClusterTemplateRevisionFieldAADClientSecret                  = "aadClientSecret"
+	ClusterTemplateRevisionFieldACIAPICUserKeySecret             = "aciAPICUserKeySecret"
+	ClusterTemplateRevisionFieldACIKafkaClientKeySecret          = "aciKafkaClientKeySecret"
+	ClusterTemplateRevisionFieldACITokenSecret                   = "aciTokenSecret"
+	ClusterTemplateRevisionFieldAnnotations                      = "annotations"
+	ClusterTemplateRevisionFieldBastionHostSSHKeySecret          = "bastionHostSSHKeySecret"
+	ClusterTemplateRevisionFieldClusterConfig                    = "clusterConfig"
+	ClusterTemplateRevisionFieldClusterTemplateID                = "clusterTemplateId"
+	ClusterTemplateRevisionFieldConditions                       = "conditions"
+	ClusterTemplateRevisionFieldCreated                          = "created"
+	ClusterTemplateRevisionFieldCreatorID                        = "creatorId"
+	ClusterTemplateRevisionFieldEnabled                          = "enabled"
+	ClusterTemplateRevisionFieldKubeletExtraEnvSecret            = "kubeletExtraEnvSecret"
+	ClusterTemplateRevisionFieldLabels                           = "labels"
+	ClusterTemplateRevisionFieldName                             = "name"
+	ClusterTemplateRevisionFieldOpenStackSecret                  = "openStackSecret"
+	ClusterTemplateRevisionFieldOwnerReferences                  = "ownerReferences"
+	ClusterTemplateRevisionFieldPrivateRegistryECRSecret         = "privateRegistryECRSecret"
+	ClusterTemplateRevisionFieldPrivateRegistrySecret            = "privateRegistrySecret"
+	ClusterTemplateRevisionFieldQuestions                        = "questions"
+	ClusterTemplateRevisionFieldRemoved                          = "removed"
+	ClusterTemplateRevisionFieldS3CredentialSecret               = "s3CredentialSecret"
+	ClusterTemplateRevisionFieldSecretsEncryptionProvidersSecret = "secretsEncryptionProvidersSecret"
+	ClusterTemplateRevisionFieldState                            = "state"
+	ClusterTemplateRevisionFieldTransitioning                    = "transitioning"
+	ClusterTemplateRevisionFieldTransitioningMessage             = "transitioningMessage"
+	ClusterTemplateRevisionFieldUUID                             = "uuid"
+	ClusterTemplateRevisionFieldVirtualCenterSecret              = "virtualCenterSecret"
+	ClusterTemplateRevisionFieldVsphereSecret                    = "vsphereSecret"
+	ClusterTemplateRevisionFieldWeavePasswordSecret              = "weavePasswordSecret"
 )
 
 type ClusterTemplateRevision struct {
 	types.Resource
-	AADClientCertSecret   string                             `json:"aadClientCertSecret,omitempty" yaml:"aadClientCertSecret,omitempty"`
-	AADClientSecret       string                             `json:"aadClientSecret,omitempty" yaml:"aadClientSecret,omitempty"`
-	Annotations           map[string]string                  `json:"annotations,omitempty" yaml:"annotations,omitempty"`
-	ClusterConfig         *ClusterSpecBase                   `json:"clusterConfig,omitempty" yaml:"clusterConfig,omitempty"`
-	ClusterTemplateID     string                             `json:"clusterTemplateId,omitempty" yaml:"clusterTemplateId,omitempty"`
-	Conditions            []ClusterTemplateRevisionCondition `json:"conditions,omitempty" yaml:"conditions,omitempty"`
-	Created               string                             `json:"created,omitempty" yaml:"created,omitempty"`
-	CreatorID             string                             `json:"creatorId,omitempty" yaml:"creatorId,omitempty"`
-	Enabled               *bool                              `json:"enabled,omitempty" yaml:"enabled,omitempty"`
-	Labels                map[string]string                  `json:"labels,omitempty" yaml:"labels,omitempty"`
-	Name                  string                             `json:"name,omitempty" yaml:"name,omitempty"`
-	OpenStackSecret       string                             `json:"openStackSecret,omitempty" yaml:"openStackSecret,omitempty"`
-	OwnerReferences       []OwnerReference                   `json:"ownerReferences,omitempty" yaml:"ownerReferences,omitempty"`
-	PrivateRegistrySecret string                             `json:"privateRegistrySecret,omitempty" yaml:"privateRegistrySecret,omitempty"`
-	Questions             []Question                         `json:"questions,omitempty" yaml:"questions,omitempty"`
-	Removed               string                             `json:"removed,omitempty" yaml:"removed,omitempty"`
-	S3CredentialSecret    string                             `json:"s3CredentialSecret,omitempty" yaml:"s3CredentialSecret,omitempty"`
-	State                 string                             `json:"state,omitempty" yaml:"state,omitempty"`
-	Transitioning         string                             `json:"transitioning,omitempty" yaml:"transitioning,omitempty"`
-	TransitioningMessage  string                             `json:"transitioningMessage,omitempty" yaml:"transitioningMessage,omitempty"`
-	UUID                  string                             `json:"uuid,omitempty" yaml:"uuid,omitempty"`
-	VirtualCenterSecret   string                             `json:"virtualCenterSecret,omitempty" yaml:"virtualCenterSecret,omitempty"`
-	VsphereSecret         string                             `json:"vsphereSecret,omitempty" yaml:"vsphereSecret,omitempty"`
-	WeavePasswordSecret   string                             `json:"weavePasswordSecret,omitempty" yaml:"weavePasswordSecret,omitempty"`
+	AADClientCertSecret              string                             `json:"aadClientCertSecret,omitempty" yaml:"aadClientCertSecret,omitempty"`
+	AADClientSecret                  string                             `json:"aadClientSecret,omitempty" yaml:"aadClientSecret,omitempty"`
+	ACIAPICUserKeySecret             string                             `json:"aciAPICUserKeySecret,omitempty" yaml:"aciAPICUserKeySecret,omitempty"`
+	ACIKafkaClientKeySecret          string                             `json:"aciKafkaClientKeySecret,omitempty" yaml:"aciKafkaClientKeySecret,omitempty"`
+	ACITokenSecret                   string                             `json:"aciTokenSecret,omitempty" yaml:"aciTokenSecret,omitempty"`
+	Annotations                      map[string]string                  `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+	BastionHostSSHKeySecret          string                             `json:"bastionHostSSHKeySecret,omitempty" yaml:"bastionHostSSHKeySecret,omitempty"`
+	ClusterConfig                    *ClusterSpecBase                   `json:"clusterConfig,omitempty" yaml:"clusterConfig,omitempty"`
+	ClusterTemplateID                string                             `json:"clusterTemplateId,omitempty" yaml:"clusterTemplateId,omitempty"`
+	Conditions                       []ClusterTemplateRevisionCondition `json:"conditions,omitempty" yaml:"conditions,omitempty"`
+	Created                          string                             `json:"created,omitempty" yaml:"created,omitempty"`
+	CreatorID                        string                             `json:"creatorId,omitempty" yaml:"creatorId,omitempty"`
+	Enabled                          *bool                              `json:"enabled,omitempty" yaml:"enabled,omitempty"`
+	KubeletExtraEnvSecret            string                             `json:"kubeletExtraEnvSecret,omitempty" yaml:"kubeletExtraEnvSecret,omitempty"`
+	Labels                           map[string]string                  `json:"labels,omitempty" yaml:"labels,omitempty"`
+	Name                             string                             `json:"name,omitempty" yaml:"name,omitempty"`
+	OpenStackSecret                  string                             `json:"openStackSecret,omitempty" yaml:"openStackSecret,omitempty"`
+	OwnerReferences                  []OwnerReference                   `json:"ownerReferences,omitempty" yaml:"ownerReferences,omitempty"`
+	PrivateRegistryECRSecret         string                             `json:"privateRegistryECRSecret,omitempty" yaml:"privateRegistryECRSecret,omitempty"`
+	PrivateRegistrySecret            string                             `json:"privateRegistrySecret,omitempty" yaml:"privateRegistrySecret,omitempty"`
+	Questions                        []Question                         `json:"questions,omitempty" yaml:"questions,omitempty"`
+	Removed                          string                             `json:"removed,omitempty" yaml:"removed,omitempty"`
+	S3CredentialSecret               string                             `json:"s3CredentialSecret,omitempty" yaml:"s3CredentialSecret,omitempty"`
+	SecretsEncryptionProvidersSecret string                             `json:"secretsEncryptionProvidersSecret,omitempty" yaml:"secretsEncryptionProvidersSecret,omitempty"`
+	State                            string                             `json:"state,omitempty" yaml:"state,omitempty"`
+	Transitioning                    string                             `json:"transitioning,omitempty" yaml:"transitioning,omitempty"`
+	TransitioningMessage             string                             `json:"transitioningMessage,omitempty" yaml:"transitioningMessage,omitempty"`
+	UUID                             string                             `json:"uuid,omitempty" yaml:"uuid,omitempty"`
+	VirtualCenterSecret              string                             `json:"virtualCenterSecret,omitempty" yaml:"virtualCenterSecret,omitempty"`
+	VsphereSecret                    string                             `json:"vsphereSecret,omitempty" yaml:"vsphereSecret,omitempty"`
+	WeavePasswordSecret              string                             `json:"weavePasswordSecret,omitempty" yaml:"weavePasswordSecret,omitempty"`
 }
 
 type ClusterTemplateRevisionCollection struct {
  • tests/framework/clients/rancher/generated/management/v3/zz_generated_cluster_template_revision_status.go+33 19 modified
    @@ -1,26 +1,40 @@
 package client
 
 const (
-	ClusterTemplateRevisionStatusType                       = "clusterTemplateRevisionStatus"
-	ClusterTemplateRevisionStatusFieldAADClientCertSecret   = "aadClientCertSecret"
-	ClusterTemplateRevisionStatusFieldAADClientSecret       = "aadClientSecret"
-	ClusterTemplateRevisionStatusFieldConditions            = "conditions"
-	ClusterTemplateRevisionStatusFieldOpenStackSecret       = "openStackSecret"
-	ClusterTemplateRevisionStatusFieldPrivateRegistrySecret = "privateRegistrySecret"
-	ClusterTemplateRevisionStatusFieldS3CredentialSecret    = "s3CredentialSecret"
-	ClusterTemplateRevisionStatusFieldVirtualCenterSecret   = "virtualCenterSecret"
-	ClusterTemplateRevisionStatusFieldVsphereSecret         = "vsphereSecret"
-	ClusterTemplateRevisionStatusFieldWeavePasswordSecret   = "weavePasswordSecret"
+	ClusterTemplateRevisionStatusType                                  = "clusterTemplateRevisionStatus"
+	ClusterTemplateRevisionStatusFieldAADClientCertSecret              = "aadClientCertSecret"
+	ClusterTemplateRevisionStatusFieldAADClientSecret                  = "aadClientSecret"
+	ClusterTemplateRevisionStatusFieldACIAPICUserKeySecret             = "aciAPICUserKeySecret"
+	ClusterTemplateRevisionStatusFieldACIKafkaClientKeySecret          = "aciKafkaClientKeySecret"
+	ClusterTemplateRevisionStatusFieldACITokenSecret                   = "aciTokenSecret"
+	ClusterTemplateRevisionStatusFieldBastionHostSSHKeySecret          = "bastionHostSSHKeySecret"
+	ClusterTemplateRevisionStatusFieldConditions                       = "conditions"
+	ClusterTemplateRevisionStatusFieldKubeletExtraEnvSecret            = "kubeletExtraEnvSecret"
+	ClusterTemplateRevisionStatusFieldOpenStackSecret                  = "openStackSecret"
+	ClusterTemplateRevisionStatusFieldPrivateRegistryECRSecret         = "privateRegistryECRSecret"
+	ClusterTemplateRevisionStatusFieldPrivateRegistrySecret            = "privateRegistrySecret"
+	ClusterTemplateRevisionStatusFieldS3CredentialSecret               = "s3CredentialSecret"
+	ClusterTemplateRevisionStatusFieldSecretsEncryptionProvidersSecret = "secretsEncryptionProvidersSecret"
+	ClusterTemplateRevisionStatusFieldVirtualCenterSecret              = "virtualCenterSecret"
+	ClusterTemplateRevisionStatusFieldVsphereSecret                    = "vsphereSecret"
+	ClusterTemplateRevisionStatusFieldWeavePasswordSecret              = "weavePasswordSecret"
 )
 
 type ClusterTemplateRevisionStatus struct {
-	AADClientCertSecret   string                             `json:"aadClientCertSecret,omitempty" yaml:"aadClientCertSecret,omitempty"`
-	AADClientSecret       string                             `json:"aadClientSecret,omitempty" yaml:"aadClientSecret,omitempty"`
-	Conditions            []ClusterTemplateRevisionCondition `json:"conditions,omitempty" yaml:"conditions,omitempty"`
-	OpenStackSecret       string                             `json:"openStackSecret,omitempty" yaml:"openStackSecret,omitempty"`
-	PrivateRegistrySecret string                             `json:"privateRegistrySecret,omitempty" yaml:"privateRegistrySecret,omitempty"`
-	S3CredentialSecret    string                             `json:"s3CredentialSecret,omitempty" yaml:"s3CredentialSecret,omitempty"`
-	VirtualCenterSecret   string                             `json:"virtualCenterSecret,omitempty" yaml:"virtualCenterSecret,omitempty"`
-	VsphereSecret         string                             `json:"vsphereSecret,omitempty" yaml:"vsphereSecret,omitempty"`
-	WeavePasswordSecret   string                             `json:"weavePasswordSecret,omitempty" yaml:"weavePasswordSecret,omitempty"`
+	AADClientCertSecret              string                             `json:"aadClientCertSecret,omitempty" yaml:"aadClientCertSecret,omitempty"`
+	AADClientSecret                  string                             `json:"aadClientSecret,omitempty" yaml:"aadClientSecret,omitempty"`
+	ACIAPICUserKeySecret             string                             `json:"aciAPICUserKeySecret,omitempty" yaml:"aciAPICUserKeySecret,omitempty"`
+	ACIKafkaClientKeySecret          string                             `json:"aciKafkaClientKeySecret,omitempty" yaml:"aciKafkaClientKeySecret,omitempty"`
+	ACITokenSecret                   string                             `json:"aciTokenSecret,omitempty" yaml:"aciTokenSecret,omitempty"`
+	BastionHostSSHKeySecret          string                             `json:"bastionHostSSHKeySecret,omitempty" yaml:"bastionHostSSHKeySecret,omitempty"`
+	Conditions                       []ClusterTemplateRevisionCondition `json:"conditions,omitempty" yaml:"conditions,omitempty"`
+	KubeletExtraEnvSecret            string                             `json:"kubeletExtraEnvSecret,omitempty" yaml:"kubeletExtraEnvSecret,omitempty"`
+	OpenStackSecret                  string                             `json:"openStackSecret,omitempty" yaml:"openStackSecret,omitempty"`
+	PrivateRegistryECRSecret         string                             `json:"privateRegistryECRSecret,omitempty" yaml:"privateRegistryECRSecret,omitempty"`
+	PrivateRegistrySecret            string                             `json:"privateRegistrySecret,omitempty" yaml:"privateRegistrySecret,omitempty"`
+	S3CredentialSecret               string                             `json:"s3CredentialSecret,omitempty" yaml:"s3CredentialSecret,omitempty"`
+	SecretsEncryptionProvidersSecret string                             `json:"secretsEncryptionProvidersSecret,omitempty" yaml:"secretsEncryptionProvidersSecret,omitempty"`
+	VirtualCenterSecret              string                             `json:"virtualCenterSecret,omitempty" yaml:"virtualCenterSecret,omitempty"`
+	VsphereSecret                    string                             `json:"vsphereSecret,omitempty" yaml:"vsphereSecret,omitempty"`
+	WeavePasswordSecret              string                             `json:"weavePasswordSecret,omitempty" yaml:"weavePasswordSecret,omitempty"`
 }
  • tests/v2/codecoverage/package/Dockerfile+1 1 modified
    @@ -167,7 +167,7 @@ ENV CATTLE_CLI_VERSION v2.7.2-rc1
 ENV CATTLE_BASE_UI_BRAND=
 
 # Please update the api-ui-version in pkg/settings/settings.go when updating the version here.
-ENV CATTLE_API_UI_VERSION 1.1.9
+ENV CATTLE_API_UI_VERSION 1.1.11
 
 RUN mkdir -p /var/log/auditlog
 ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log
  • tests/v2/codecoverage/package/Dockerfile.ranchertest+1 1 modified
    @@ -166,7 +166,7 @@ ENV CATTLE_DASHBOARD_UI_VERSION v2.6.9
 ENV CATTLE_CLI_VERSION v2.6.9
 
 # Please update the api-ui-version in pkg/settings/settings.go when updating the version here.
-ENV CATTLE_API_UI_VERSION 1.1.9
+ENV CATTLE_API_UI_VERSION 1.1.11
 
 RUN mkdir -p /var/log/auditlog
 ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log
649fdad268d8

[2.7] Fixes (#44343)

https://github.com/rancher/rancherPeter MatseykanetsFeb 5, 2024via ghsa
commit
246 files changed · +966 668
  • .drone.yml+0 245 modified
    @@ -685,249 +685,6 @@ volumes:
   host:
     path: /var/run/docker.sock
 
-trigger:
-  event:
-    exclude:
-    - promote
----
-kind: pipeline
-name: default-linux-s390x
-
-platform:
-  os: linux
-  arch: amd64
-
-# Hack needed for s390x: https://gist.github.com/colstrom/c2f359f72658aaabb44150ac20b16d7c#gistcomment-3858388
-node:
-  arch: s390x
-
-clone:
-  disable: true
-
-steps:
-- name: clone
-  image: alpine/git:v2.30.2-s390x
-  commands:
-  - git clone $DRONE_GIT_HTTP_URL  .
-  - git fetch origin $DRONE_COMMIT_REF
-  - git checkout $DRONE_COMMIT -b origin/$DRONE_TARGET_BRANCH
-
-- name: build-pr
-  image: rancher/dapper:v0.6.0
-  failure: ignore
-  commands:
-  - dapper ci
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    event:
-    - pull_request
-
-- name: build-push-tag
-  image: rancher/dapper:v0.6.0
-  failure: ignore
-  commands:
-  - K3S_BUILDER=k3s_root dapper ci
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    instance:
-      - drone-publish.rancher.io
-    ref:
-      include:
-        - "refs/heads/master"
-        - "refs/heads/release/v*"
-        - "refs/tags/v*"
-    event:
-    - push
-    - tag
-
-- name: stage-binaries
-  image: rancher/dapper:v0.6.0
-  failure: ignore
-  commands:
-  - "cp -r ./bin/* ./package/"
-  when:
-    instance:
-      - drone-publish.rancher.io
-    ref:
-      include:
-        - "refs/heads/master"
-        - "refs/heads/release/v*"
-        - "refs/tags/v*"
-    event:
-    - push
-    - tag
-
-- name: docker-publish-head
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - VERSION=${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-head
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile
-    tag: ${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-linux-s390x
-    password:
-      from_secret: docker_password
-    repo: rancher/rancher
-    username:
-      from_secret: docker_username
-  when:
-    ref:
-      include:
-      - "refs/heads/master"
-      - "refs/heads/release/v*"
-    event:
-    - push
-
-- name: docker-publish-head-installer
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-    - name: docker
-      path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - VERSION=${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-head
-    - RANCHER_TAG=${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-linux-s390x
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile.installer
-    tag: ${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-linux-s390x
-    password:
-      from_secret: docker_password
-    repo: rancher/system-agent-installer-rancher
-    username:
-      from_secret: docker_username
-  when:
-    ref:
-      include:
-      - "refs/heads/master"
-      - "refs/heads/release/v*"
-    event:
-    - push
-
-- name: docker-publish-head-agent
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-    - name: docker
-      path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - VERSION=${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-head
-    - RANCHER_TAG=${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-linux-s390x
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile.agent
-    tag: ${DRONE_BRANCH/release\//}-${DRONE_COMMIT}-linux-s390x
-    password:
-      from_secret: docker_password
-    repo: rancher/rancher-agent
-    username:
-      from_secret: docker_username
-  when:
-    ref:
-      include:
-      - "refs/heads/master"
-      - "refs/heads/release/v*"
-    event:
-    - push
-
-- name: docker-publish
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-    - name: docker
-      path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - "VERSION=${DRONE_TAG}"
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile
-    password:
-      from_secret: docker_password
-    repo: rancher/rancher
-    tag: "${DRONE_TAG}-linux-s390x"
-    username:
-      from_secret: docker_username
-  when:
-    event:
-    - tag
-
-- name: docker-publish-installer
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-    - name: docker
-      path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - "VERSION=${DRONE_TAG}"
-    - "RANCHER_TAG=${DRONE_TAG}-linux-s390x"
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile.installer
-    password:
-      from_secret: docker_password
-    repo: rancher/system-agent-installer-rancher
-    tag: "${DRONE_TAG}-linux-s390x"
-    username:
-      from_secret: docker_username
-  when:
-    event:
-    - tag
-
-- name: docker-publish-agent
-  image: rancher/drone-images:docker-s390x
-  failure: ignore
-  volumes:
-    - name: docker
-      path: /var/run/docker.sock
-  settings:
-    purge: false
-    build_args:
-    - ARCH=s390x
-    - "VERSION=${DRONE_TAG}"
-    - "RANCHER_TAG=${DRONE_TAG}-linux-s390x"
-    context: package/
-    custom_dns: 1.1.1.1
-    dockerfile: package/Dockerfile.agent
-    password:
-      from_secret: docker_password
-    repo: rancher/rancher-agent
-    tag: "${DRONE_TAG}-linux-s390x"
-    username:
-      from_secret: docker_username
-  when:
-    event:
-    - tag
-
-volumes:
-- name: docker
-  host:
-    path: /var/run/docker.sock
-
 trigger:
   event:
     exclude:
@@ -1363,7 +1120,6 @@ trigger:
 depends_on:
 - default-linux-amd64
 - default-linux-arm64
-- default-linux-s390x
 - default-windows-1809
 - default-windows-ltsc2022
 ---
@@ -1416,7 +1172,6 @@ trigger:
 depends_on:
 - default-linux-amd64
 - default-linux-arm64
-- default-linux-s390x
 ---
 kind: pipeline
 name: docker-image-digests-windows-1809
  • go.mod+5 5 modified
    @@ -11,7 +11,7 @@ replace (
 
 	github.com/knative/pkg => github.com/rancher/pkg v0.0.0-20190514055449-b30ab9de040e
 	github.com/matryer/moq => github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77
-	github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.5
+	github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.12
 
 	github.com/rancher/machine => github.com/rancher/machine v0.15.0-rancher100 // aks-operator requires rancher99 but rancher100 should not break it.
 	github.com/rancher/rancher/pkg/apis => ./pkg/apis
@@ -106,7 +106,7 @@ require (
 	github.com/prometheus/client_model v0.3.0
 	github.com/prometheus/common v0.42.0
 	github.com/rancher/aks-operator v1.1.3
-	github.com/rancher/apiserver v0.0.0-20230515173455-c3b182bdbf7d
+	github.com/rancher/apiserver v0.0.0-20240205164342-97a10a30200c
 	github.com/rancher/channelserver v0.5.1-0.20230719220800-0a37b73c7df8
 	github.com/rancher/dynamiclistener v0.3.5
 	github.com/rancher/eks-operator v1.2.2
@@ -115,12 +115,12 @@ require (
 	github.com/rancher/kubernetes-provider-detector v0.1.5
 	github.com/rancher/lasso v0.0.0-20230629200414-8a54b32e6792
 	github.com/rancher/machine v0.15.0-rancher99
-	github.com/rancher/norman v0.0.0-20230426211126-d3552b018687
+	github.com/rancher/norman v0.0.0-20240205164302-7b2b467995e6
 	github.com/rancher/rancher/pkg/apis v0.0.0
 	github.com/rancher/rancher/pkg/client v0.0.0
 	github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a
 	github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8
-	github.com/rancher/rke v1.4.10
+	github.com/rancher/rke v1.4.13
 	github.com/rancher/steve v0.0.0-20230717160251-d040cffef385
 	github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007
 	github.com/rancher/wrangler v1.1.1
@@ -247,7 +247,7 @@ require (
 	github.com/containerd/containerd v1.6.18 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/docker/cli v23.0.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
  • go.sum+11 9 modified
    @@ -377,8 +377,9 @@ github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc=
 github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA=
 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 h1:vU+EP9ZuFUCYE0NYLwTSob+3LNEJATzNfP/DC7SWGWI=
 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
-github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
 github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=
 github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s=
 github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=
@@ -1028,6 +1029,7 @@ github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
+github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
@@ -1083,8 +1085,8 @@ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034=
 github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
-github.com/opencontainers/runc v1.1.5 h1:L44KXEpKmfWDcS02aeGm8QNTFXTo2D+8MYGDIJ/GDEs=
-github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
+github.com/opencontainers/runc v1.1.12 h1:BOIssBaW1La0/qbNZHXOOa71dZfZEQOzW7dqQf3phss=
+github.com/opencontainers/runc v1.1.12/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
@@ -1176,8 +1178,8 @@ github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rancher/aks-operator v1.1.3 h1:sWzhhe9W2UhysdNeKWDM159z7Em+BBNv0DWvC6ANAuA=
 github.com/rancher/aks-operator v1.1.3/go.mod h1:iEFU3CqbPMZ1JKVCX8B5t/EE8H77lSCeak26fUZYoNw=
-github.com/rancher/apiserver v0.0.0-20230515173455-c3b182bdbf7d h1:RT8bn3teE6tsYcSRBli1yVINqrETVqiD8e5uqGg8nmc=
-github.com/rancher/apiserver v0.0.0-20230515173455-c3b182bdbf7d/go.mod h1:GSUg2KPauynfyEk9kqeHE5sFa/Zd8ilsmXqSSzqynQQ=
+github.com/rancher/apiserver v0.0.0-20240205164342-97a10a30200c h1:AXUs8d+qCEo4AfvtHpiv/8n1RgvztxjQCAUWoU4DzjY=
+github.com/rancher/apiserver v0.0.0-20240205164342-97a10a30200c/go.mod h1:GSUg2KPauynfyEk9kqeHE5sFa/Zd8ilsmXqSSzqynQQ=
 github.com/rancher/aws-iam-authenticator v0.5.9-0.20220713170329-78acb8c83863 h1:7cVEMgwyiVhLyu/Ywuw58mkkh9cWpFE3+X8IrWncBxU=
 github.com/rancher/aws-iam-authenticator v0.5.9-0.20220713170329-78acb8c83863/go.mod h1:6dId2LCc8oHqeBzP6E8ndp4DflhKTxYLb5ZXwI4YmFA=
 github.com/rancher/channelserver v0.5.1-0.20230719220800-0a37b73c7df8 h1:Dyg8vyYMBIImru9mo8EF40yRgNgGQQOpC/aA2vZ/SXY=
@@ -1202,14 +1204,14 @@ github.com/rancher/machine v0.15.0-rancher100 h1:O3Yj/XP7kZgoc125V+eIdrHnd+CPJxA
 github.com/rancher/machine v0.15.0-rancher100/go.mod h1:Jt9dYCyDt1Mhd7BZCmdOnQj3I+VUC1iiYAVHu30JC68=
 github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77 h1:k+vzmkZQsH06rZnDr+phskSixG9ByNj9gVdzHcc8nxw=
 github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77/go.mod h1:wpITyDPTi/Na5h73XkbuEf2AP9fbgrIGqqxVzFhYD6U=
-github.com/rancher/norman v0.0.0-20230426211126-d3552b018687 h1:9Bf4fZBIdkidKTqHFsJXMlnzflxx3h4ZAEH/n6HMuyI=
-github.com/rancher/norman v0.0.0-20230426211126-d3552b018687/go.mod h1:7MyWxfCmPl6N/UFLu4neLH6nwTFgQQF5rxtUGyZvPFE=
+github.com/rancher/norman v0.0.0-20240205164302-7b2b467995e6 h1:YEk9v9S9Cn1QDhqS37VuwoziAB29fZIVnyik8xTeNks=
+github.com/rancher/norman v0.0.0-20240205164302-7b2b467995e6/go.mod h1:7MyWxfCmPl6N/UFLu4neLH6nwTFgQQF5rxtUGyZvPFE=
 github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a h1:6xqYlVz4uAXBa/AuNAG0bhMusIXVh74dc1bbYOAe+HY=
 github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a/go.mod h1:YW8wJ/coee2n9ed937uPBWQArBaVlxs+5wkkS9KiyDc=
 github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8 h1:leqh0chjBsXhKWebxxFd5QPcoQLu51EpaHo04ce0o+8=
 github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8/go.mod h1:BwwztuvViX2JrLLUwDlsYt5DiyUwHLlzynRwkZLAY0Q=
-github.com/rancher/rke v1.4.10 h1:JP3j9mPjPojopN73Qwu5efKw9PQ7od+GKrHpVJLW3fg=
-github.com/rancher/rke v1.4.10/go.mod h1:zCL+we25sFDQb2jo6EojX8zxBfbB7FxL6Lte6A6eCiY=
+github.com/rancher/rke v1.4.13 h1:kZTxCeE5Sj7i67eYMpp/ymCLJKx1h6tP3ZnpFDyveQM=
+github.com/rancher/rke v1.4.13/go.mod h1:zCL+we25sFDQb2jo6EojX8zxBfbB7FxL6Lte6A6eCiY=
 github.com/rancher/steve v0.0.0-20230717160251-d040cffef385 h1:xMR4LJY5C4LAkJbmVKYvu4BaCYXx2fu99a0K+gErpA0=
 github.com/rancher/steve v0.0.0-20230717160251-d040cffef385/go.mod h1:lCxhhsajJHMUnj0EU+3mbrucc6mHDYD94abDiWX6I/Y=
 github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007 h1:ru+mqGnxMmKeU0Q3XIDxkARvInDIqT1hH2amTcsjxI4=
  • package/Dockerfile+1 1 modified
    @@ -171,7 +171,7 @@ ENV CATTLE_CLI_VERSION v2.7.7
 ENV CATTLE_BASE_UI_BRAND=
 
 # Please update the api-ui-version in pkg/settings/settings.go when updating the version here.
-ENV CATTLE_API_UI_VERSION 1.1.10
+ENV CATTLE_API_UI_VERSION 1.1.11
 
 RUN mkdir -p /var/log/auditlog
 ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log
  • pkg/apis/catalog.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/catalog.cattle.io/v1/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/catalog.cattle.io/v1/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/catalog.cattle.io/v1/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/catalog.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/cluster.cattle.io/v3/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/cluster.cattle.io/v3/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/cluster.cattle.io/v3/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/cluster.cattle.io/v3/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/cluster.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/go.mod+2 2 modified
    @@ -12,8 +12,8 @@ require (
 	github.com/rancher/eks-operator v1.2.2
 	github.com/rancher/fleet/pkg/apis v0.0.0-20230821130910-23e1c146755a
 	github.com/rancher/gke-operator v1.1.6
-	github.com/rancher/norman v0.0.0-20230426211126-d3552b018687
-	github.com/rancher/rke v1.4.10
+	github.com/rancher/norman v0.0.0-20240205164302-7b2b467995e6
+	github.com/rancher/rke v1.4.13
 	github.com/rancher/wrangler v1.1.1
 	github.com/sirupsen/logrus v1.9.3
 	k8s.io/api v0.25.12
  • pkg/apis/go.sum+4 4 modified
    @@ -495,10 +495,10 @@ github.com/rancher/gke-operator v1.1.6 h1:iAgeCeswAAp0dDzEvJIJhIhgvVgw0LdboBBiXj
 github.com/rancher/gke-operator v1.1.6/go.mod h1:aLjE0vjglT9yKbgLbLDSTkNGRb2YkZzHTh/ANIQ1b/Y=
 github.com/rancher/lasso v0.0.0-20230629200414-8a54b32e6792 h1:IaPhDqppVYX2v/nCR8j2i0nqOLD5yggzzy39QUlcqDw=
 github.com/rancher/lasso v0.0.0-20230629200414-8a54b32e6792/go.mod h1:dNcwXjcqgdOuKFIVETNAPURRh3e5PAi/nWUjj+MLVZA=
-github.com/rancher/norman v0.0.0-20230426211126-d3552b018687 h1:9Bf4fZBIdkidKTqHFsJXMlnzflxx3h4ZAEH/n6HMuyI=
-github.com/rancher/norman v0.0.0-20230426211126-d3552b018687/go.mod h1:7MyWxfCmPl6N/UFLu4neLH6nwTFgQQF5rxtUGyZvPFE=
-github.com/rancher/rke v1.4.10 h1:JP3j9mPjPojopN73Qwu5efKw9PQ7od+GKrHpVJLW3fg=
-github.com/rancher/rke v1.4.10/go.mod h1:zCL+we25sFDQb2jo6EojX8zxBfbB7FxL6Lte6A6eCiY=
+github.com/rancher/norman v0.0.0-20240205164302-7b2b467995e6 h1:YEk9v9S9Cn1QDhqS37VuwoziAB29fZIVnyik8xTeNks=
+github.com/rancher/norman v0.0.0-20240205164302-7b2b467995e6/go.mod h1:7MyWxfCmPl6N/UFLu4neLH6nwTFgQQF5rxtUGyZvPFE=
+github.com/rancher/rke v1.4.13 h1:kZTxCeE5Sj7i67eYMpp/ymCLJKx1h6tP3ZnpFDyveQM=
+github.com/rancher/rke v1.4.13/go.mod h1:zCL+we25sFDQb2jo6EojX8zxBfbB7FxL6Lte6A6eCiY=
 github.com/rancher/wrangler v1.1.1-0.20230629203936-0e36fee7aea5 h1:d6NAZl3UInlO5E/q82oLWCRCoMEGh5J9jv2H0f8oGSA=
 github.com/rancher/wrangler v1.1.1-0.20230629203936-0e36fee7aea5/go.mod h1:wcqKmq5FJT34ijBgDMswlx7vOkbkw7LEqaaz6f4XTig=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
  • pkg/apis/management.cattle.io/v3/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/management.cattle.io/v3/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/management.cattle.io/v3/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/management.cattle.io/v3/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/management.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/project.cattle.io/v3/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/project.cattle.io/v3/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/project.cattle.io/v3/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/project.cattle.io/v3/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/project.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/provisioning.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/provisioning.cattle.io/v1/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/provisioning.cattle.io/v1/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/provisioning.cattle.io/v1/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/provisioning.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/rke.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/rke.cattle.io/v1/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/rke.cattle.io/v1/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/rke.cattle.io/v1/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/rke.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/ui.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/ui.cattle.io/v1/zz_generated_deepcopy.go+1 1 modified
    @@ -2,7 +2,7 @@
 // +build !ignore_autogenerated
 
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/ui.cattle.io/v1/zz_generated_list_types.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/ui.cattle.io/v1/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/apis/ui.cattle.io/zz_generated_register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/auth/audit/audit.go+5 3 modified
    @@ -20,6 +20,7 @@ import (
 	"github.com/sirupsen/logrus"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/utils/strings/slices"
 )
 
 const (
@@ -50,8 +51,9 @@ var (
 		http.MethodPut:  true,
 		http.MethodPost: true,
 	}
-	sensitiveRequestHeader  = []string{"Cookie", "Authorization", "X-Api-Tunnel-Params", "X-Api-Tunnel-Token"}
-	sensitiveResponseHeader = []string{"Cookie", "Set-Cookie"}
+	sensitiveRequestHeader  = []string{"Cookie", "Authorization", "X-Api-Tunnel-Params", "X-Api-Tunnel-Token", "X-Api-Auth-Header", "X-Amz-Security-Token"}
+	sensitiveResponseHeader = []string{"Cookie", "Set-Cookie", "X-Api-Set-Cookie-Header"}
+	sensitiveBodyFields     = []string{"credentials", "applicationSecret", "oauthCredential", "serviceAccountCredential", "spKey", "spCert", "certificate", "privateKey"}
 	// ErrUnsupportedEncoding is returned when the response encoding is unsupported
 	ErrUnsupportedEncoding = fmt.Errorf("unsupported encoding")
 	secretBaseType         = regexp.MustCompile(".\"baseType\":\"([A-Za-z]*[S|s]ecret)\".")
@@ -394,7 +396,7 @@ func (a *auditLog) redactMap(m map[string]interface{}) bool {
 	for key := range m {
 		switch val := m[key].(type) {
 		case string:
-			if a.keysToRedactRegex.MatchString(key) {
+			if a.keysToRedactRegex.MatchString(key) || slices.Contains(sensitiveBodyFields, key) {
 				changed = true
 				m[key] = redacted
 			}
  • pkg/auth/audit/audit_test.go+22 0 modified
    @@ -199,6 +199,11 @@ func (a *AuditTest) TestRedactSensitiveData() {
 			want:  []byte(fmt.Sprintf(`{"kubeConfig":"%s","namespace":"testns","secretName":"secret-name"}`, redacted)),
 			uri:   `asdf`,
 		},
+		{
+			name:  "With items from sensitiveBodyFields",
+			input: []byte(`{"credentials": "{'fakeCredName': 'fakeCred'}", "applicationSecret": "fakeAppSecret", "oauthCredential": "fakeOauth", "serviceAccountCredential": "fakeSACred", "spKey": "fakeSPKey", "spCert": "fakeSPCERT", "certificate": "fakeCert", "privateKey": "fakeKey"}`),
+			want:  []byte(fmt.Sprintf(`{"credentials": "%s", "applicationSecret": "%[1]s", "oauthCredential": "%[1]s", "serviceAccountCredential": "%[1]s", "spKey": "%[1]s", "spCert": "%[1]s", "certificate": "%[1]s", "privateKey": "%[1]s"}`, redacted)),
+		},
 	}
 	for i := range tests {
 		test := tests[i]
@@ -437,6 +442,18 @@ func (a *AuditTest) TestFilterSensitiveHeader() {
 			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
 			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
 		},
+		{
+			name:               "sensitive request header: \"X-Api-Auth-Header\"",
+			reqHeader:          http.Header{"X-Api-Auth-Header": []string{"abcd"}},
+			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+		},
+		{
+			name:               "sensitive request header: \"X-Amz-Security-Token\"",
+			reqHeader:          http.Header{"X-Amz-Security-Token": []string{"abcd"}},
+			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+		},
 		{
 			name:               "non-sensitive request header and sensitive request header: \"Cookie\"",
 			reqHeader:          http.Header{"Cookie": []string{"abcd"}, "User-Agent": []string{"useragent1"}},
@@ -454,6 +471,11 @@ func (a *AuditTest) TestFilterSensitiveHeader() {
 			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}, "Set-Cookie": []string{"abcd"}},
 			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
 		},
+		{
+			name:               "sensitive response header: \"X-Api-Set-Cookie-Header\"",
+			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}, "X-Api-Set-Cookie-Header": []string{"abcd"}},
+			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+		},
 	}
 	writer.Level = LevelMetadata
 	for i := range tests {
  • pkg/client/generated/management/v3/zz_generated_aci_network_provider.go+12 8 modified
    @@ -3,18 +3,15 @@ package client
 const (
 	AciNetworkProviderType                                      = "aciNetworkProvider"
 	AciNetworkProviderFieldAEP                                  = "aep"
-	AciNetworkProviderFieldAccProvisionOperatorMemoryLimit      = "accProvisionOperatorMemoryLimit"
-	AciNetworkProviderFieldAccProvisionOperatorMemoryRequest    = "accProvisionOperatorMemoryRequest"
 	AciNetworkProviderFieldAciContainersControllerMemoryLimit   = "aciContainersControllerMemoryLimit"
 	AciNetworkProviderFieldAciContainersControllerMemoryRequest = "aciContainersControllerMemoryRequest"
 	AciNetworkProviderFieldAciContainersHostMemoryLimit         = "aciContainersHostMemoryLimit"
 	AciNetworkProviderFieldAciContainersHostMemoryRequest       = "aciContainersHostMemoryRequest"
 	AciNetworkProviderFieldAciContainersMemoryLimit             = "aciContainersMemoryLimit"
 	AciNetworkProviderFieldAciContainersMemoryRequest           = "aciContainersMemoryRequest"
-	AciNetworkProviderFieldAciContainersOperatorMemoryLimit     = "aciContainersOperatorMemoryLimit"
-	AciNetworkProviderFieldAciContainersOperatorMemoryRequest   = "aciContainersOperatorMemoryRequest"
 	AciNetworkProviderFieldAciMultipod                          = "aciMultipod"
 	AciNetworkProviderFieldAciMultipodUbuntu                    = "aciMultipodUbuntu"
+	AciNetworkProviderFieldAddExternalContractToDefaultEpg      = "addExternalContractToDefaultEpg"
 	AciNetworkProviderFieldAddExternalSubnetsToRdconfig         = "addExternalSubnetsToRdconfig"
 	AciNetworkProviderFieldApicHosts                            = "apicHosts"
 	AciNetworkProviderFieldApicRefreshTickerAdjust              = "apicRefreshTickerAdjust"
@@ -33,6 +30,7 @@ const (
 	AciNetworkProviderFieldDurationWaitForNetwork               = "durationWaitForNetwork"
 	AciNetworkProviderFieldDynamicExternalSubnet                = "externDynamic"
 	AciNetworkProviderFieldEnableEndpointSlice                  = "enableEndpointSlice"
+	AciNetworkProviderFieldEnableOpflexAgentReconnect           = "enableOpflexAgentReconnect"
 	AciNetworkProviderFieldEncapType                            = "encapType"
 	AciNetworkProviderFieldEpRegistry                           = "epRegistry"
 	AciNetworkProviderFieldGbpPodSubnet                         = "gbpPodSubnet"
@@ -59,6 +57,7 @@ const (
 	AciNetworkProviderFieldNoPriorityClass                      = "noPriorityClass"
 	AciNetworkProviderFieldNoWaitForServiceEpReadiness          = "noWaitForServiceEpReadiness"
 	AciNetworkProviderFieldNodePodIfEnable                      = "nodePodIfEnable"
+	AciNetworkProviderFieldNodeSnatRedirectExclude              = "nodeSnatRedirectExclude"
 	AciNetworkProviderFieldNodeSubnet                           = "nodeSubnet"
 	AciNetworkProviderFieldOVSMemoryLimit                       = "ovsMemoryLimit"
 	AciNetworkProviderFieldOVSMemoryRequest                     = "ovsMemoryRequest"
@@ -68,10 +67,12 @@ const (
 	AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled    = "opflexAgentOpflexAsyncjsonEnabled"
 	AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled       = "opflexAgentOvsAsyncjsonEnabled"
 	AciNetworkProviderFieldOpflexAgentPolicyRetryDelayTimer     = "opflexAgentPolicyRetryDelayTimer"
+	AciNetworkProviderFieldOpflexAgentStatistics                = "opflexAgentStatistics"
 	AciNetworkProviderFieldOpflexClientSSL                      = "opflexClientSsl"
 	AciNetworkProviderFieldOpflexDeviceDeleteTimeout            = "opflexDeviceDeleteTimeout"
 	AciNetworkProviderFieldOpflexDeviceReconnectWaitTimeout     = "opflexDeviceReconnectWaitTimeout"
 	AciNetworkProviderFieldOpflexMode                           = "opflexMode"
+	AciNetworkProviderFieldOpflexOpensslCompat                  = "opflexOpensslCompat"
 	AciNetworkProviderFieldOpflexServerPort                     = "opflexServerPort"
 	AciNetworkProviderFieldOverlayVRFName                       = "overlayVrfName"
 	AciNetworkProviderFieldPBRTrackingNonSnat                   = "pbrTrackingNonSnat"
@@ -95,6 +96,7 @@ const (
 	AciNetworkProviderFieldSystemIdentifier                     = "systemId"
 	AciNetworkProviderFieldTenant                               = "tenant"
 	AciNetworkProviderFieldToken                                = "token"
+	AciNetworkProviderFieldTolerationSeconds                    = "tolerationSeconds"
 	AciNetworkProviderFieldUseAciAnywhereCRD                    = "useAciAnywhereCrd"
 	AciNetworkProviderFieldUseAciCniPriorityClass               = "useAciCniPriorityClass"
 	AciNetworkProviderFieldUseClusterRole                       = "useClusterRole"
@@ -110,18 +112,15 @@ const (
 
 type AciNetworkProvider struct {
 	AEP                                  string              `json:"aep,omitempty" yaml:"aep,omitempty"`
-	AccProvisionOperatorMemoryLimit      string              `json:"accProvisionOperatorMemoryLimit,omitempty" yaml:"accProvisionOperatorMemoryLimit,omitempty"`
-	AccProvisionOperatorMemoryRequest    string              `json:"accProvisionOperatorMemoryRequest,omitempty" yaml:"accProvisionOperatorMemoryRequest,omitempty"`
 	AciContainersControllerMemoryLimit   string              `json:"aciContainersControllerMemoryLimit,omitempty" yaml:"aciContainersControllerMemoryLimit,omitempty"`
 	AciContainersControllerMemoryRequest string              `json:"aciContainersControllerMemoryRequest,omitempty" yaml:"aciContainersControllerMemoryRequest,omitempty"`
 	AciContainersHostMemoryLimit         string              `json:"aciContainersHostMemoryLimit,omitempty" yaml:"aciContainersHostMemoryLimit,omitempty"`
 	AciContainersHostMemoryRequest       string              `json:"aciContainersHostMemoryRequest,omitempty" yaml:"aciContainersHostMemoryRequest,omitempty"`
 	AciContainersMemoryLimit             string              `json:"aciContainersMemoryLimit,omitempty" yaml:"aciContainersMemoryLimit,omitempty"`
 	AciContainersMemoryRequest           string              `json:"aciContainersMemoryRequest,omitempty" yaml:"aciContainersMemoryRequest,omitempty"`
-	AciContainersOperatorMemoryLimit     string              `json:"aciContainersOperatorMemoryLimit,omitempty" yaml:"aciContainersOperatorMemoryLimit,omitempty"`
-	AciContainersOperatorMemoryRequest   string              `json:"aciContainersOperatorMemoryRequest,omitempty" yaml:"aciContainersOperatorMemoryRequest,omitempty"`
 	AciMultipod                          string              `json:"aciMultipod,omitempty" yaml:"aciMultipod,omitempty"`
 	AciMultipodUbuntu                    string              `json:"aciMultipodUbuntu,omitempty" yaml:"aciMultipodUbuntu,omitempty"`
+	AddExternalContractToDefaultEpg      string              `json:"addExternalContractToDefaultEpg,omitempty" yaml:"addExternalContractToDefaultEpg,omitempty"`
 	AddExternalSubnetsToRdconfig         string              `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"`
 	ApicHosts                            []string            `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"`
 	ApicRefreshTickerAdjust              string              `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"`
@@ -140,6 +139,7 @@ type AciNetworkProvider struct {
 	DurationWaitForNetwork               string              `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"`
 	DynamicExternalSubnet                string              `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"`
 	EnableEndpointSlice                  string              `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"`
+	EnableOpflexAgentReconnect           string              `json:"enableOpflexAgentReconnect,omitempty" yaml:"enableOpflexAgentReconnect,omitempty"`
 	EncapType                            string              `json:"encapType,omitempty" yaml:"encapType,omitempty"`
 	EpRegistry                           string              `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"`
 	GbpPodSubnet                         string              `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"`
@@ -166,6 +166,7 @@ type AciNetworkProvider struct {
 	NoPriorityClass                      string              `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"`
 	NoWaitForServiceEpReadiness          string              `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"`
 	NodePodIfEnable                      string              `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"`
+	NodeSnatRedirectExclude              []map[string]string `json:"nodeSnatRedirectExclude,omitempty" yaml:"nodeSnatRedirectExclude,omitempty"`
 	NodeSubnet                           string              `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"`
 	OVSMemoryLimit                       string              `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"`
 	OVSMemoryRequest                     string              `json:"ovsMemoryRequest,omitempty" yaml:"ovsMemoryRequest,omitempty"`
@@ -175,10 +176,12 @@ type AciNetworkProvider struct {
 	OpflexAgentOpflexAsyncjsonEnabled    string              `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"`
 	OpflexAgentOvsAsyncjsonEnabled       string              `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"`
 	OpflexAgentPolicyRetryDelayTimer     string              `json:"opflexAgentPolicyRetryDelayTimer,omitempty" yaml:"opflexAgentPolicyRetryDelayTimer,omitempty"`
+	OpflexAgentStatistics                string              `json:"opflexAgentStatistics,omitempty" yaml:"opflexAgentStatistics,omitempty"`
 	OpflexClientSSL                      string              `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"`
 	OpflexDeviceDeleteTimeout            string              `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"`
 	OpflexDeviceReconnectWaitTimeout     string              `json:"opflexDeviceReconnectWaitTimeout,omitempty" yaml:"opflexDeviceReconnectWaitTimeout,omitempty"`
 	OpflexMode                           string              `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"`
+	OpflexOpensslCompat                  string              `json:"opflexOpensslCompat,omitempty" yaml:"opflexOpensslCompat,omitempty"`
 	OpflexServerPort                     string              `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"`
 	OverlayVRFName                       string              `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"`
 	PBRTrackingNonSnat                   string              `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"`
@@ -202,6 +205,7 @@ type AciNetworkProvider struct {
 	SystemIdentifier                     string              `json:"systemId,omitempty" yaml:"systemId,omitempty"`
 	Tenant                               string              `json:"tenant,omitempty" yaml:"tenant,omitempty"`
 	Token                                string              `json:"token,omitempty" yaml:"token,omitempty"`
+	TolerationSeconds                    string              `json:"tolerationSeconds,omitempty" yaml:"tolerationSeconds,omitempty"`
 	UseAciAnywhereCRD                    string              `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"`
 	UseAciCniPriorityClass               string              `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"`
 	UseClusterRole                       string              `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"`
  • pkg/client/go.mod+1 1 modified
    @@ -5,7 +5,7 @@ go 1.19
 replace k8s.io/client-go => github.com/rancher/client-go v1.25.4-rancher1
 
 require (
-	github.com/rancher/norman v0.0.0-20230426211126-d3552b018687
+	github.com/rancher/norman v0.0.0-20240205164302-7b2b467995e6
 	k8s.io/apimachinery v0.25.4
 )
  • pkg/client/go.sum+2 2 modified
    @@ -19,8 +19,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rancher/norman v0.0.0-20230426211126-d3552b018687 h1:9Bf4fZBIdkidKTqHFsJXMlnzflxx3h4ZAEH/n6HMuyI=
-github.com/rancher/norman v0.0.0-20230426211126-d3552b018687/go.mod h1:7MyWxfCmPl6N/UFLu4neLH6nwTFgQQF5rxtUGyZvPFE=
+github.com/rancher/norman v0.0.0-20240205164302-7b2b467995e6 h1:YEk9v9S9Cn1QDhqS37VuwoziAB29fZIVnyik8xTeNks=
+github.com/rancher/norman v0.0.0-20240205164302-7b2b467995e6/go.mod h1:7MyWxfCmPl6N/UFLu4neLH6nwTFgQQF5rxtUGyZvPFE=
 github.com/rancher/wrangler v1.1.0 h1:1VWistON261oKmCPF5fOPMWb/YwjgEciO9pCw5Z0mzQ=
 github.com/rancher/wrangler v1.1.0/go.mod h1:lQorqAAIMkNWteece1GiuwZTmMqkaVTXL5qjiiPVDxQ=
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
  • pkg/controllers/managementuser/rbac/handler_base_test.go+168 31 modified
    @@ -4,32 +4,180 @@ import (
 	"fmt"
 	"testing"
 
+	apimgmtv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
-	fakes "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3/fakes"
+	"github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3/fakes"
+	fakes2 "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes"
 	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime/schema"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 )
 
-var roles = map[string]*v3.RoleTemplate{
-	"recursive1": {
-		RoleTemplateNames: []string{"recursive2"},
-	},
-	"recursive2": {
-		RoleTemplateNames: []string{"recursive1"},
-	},
-	"non-recursive": {},
-	"inherit non-recursive": {
-		RoleTemplateNames: []string{"non-recursive"},
-	},
+var (
+	recursiveTestRoleTemplates = map[string]*v3.RoleTemplate{
+		"recursive1": {
+			RoleTemplateNames: []string{"recursive2"},
+		},
+		"recursive2": {
+			RoleTemplateNames: []string{"recursive1"},
+		},
+		"non-recursive": {},
+		"inherit non-recursive": {
+			RoleTemplateNames: []string{"non-recursive"},
+		},
+	}
+	createNSRoleTemplate = &v3.RoleTemplate{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "create-ns",
+		},
+		Builtin: true,
+		Rules: []v1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"namespaces"},
+				Verbs:     []string{"create"},
+			},
+		},
+	}
+)
+
+type clientErrs struct {
+	getError    error
+	updateError error
+	createError error
 }
 
-func Test_gatherRoles(t *testing.T) {
-	manager := &manager{
+func setupManager(roleTemplates map[string]*v3.RoleTemplate, clusterRoles map[string]*v1.ClusterRole, roles map[string]*v1.Role, projects map[string]*v3.Project, crErrs, rtErrs, rErrs clientErrs) *manager {
+	return &manager{
 		rtLister: &fakes.RoleTemplateListerMock{
-			GetFunc: roleListerGetFunc,
+			GetFunc: func(namespace string, name string) (*v3.RoleTemplate, error) {
+				if rtErrs.getError != nil {
+					return nil, rtErrs.getError
+				}
+				rt, ok := roleTemplates[name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return rt.DeepCopy(), nil
+			},
+			ListFunc: func(namespace string, selector labels.Selector) ([]*v3.RoleTemplate, error) {
+				rts := make([]*v3.RoleTemplate, len(roleTemplates))
+				for i := range roleTemplates {
+					rts = append(rts, roleTemplates[i])
+				}
+				return rts, nil
+			},
 		},
+		crLister: &fakes2.ClusterRoleListerMock{
+			GetFunc: func(namespace string, name string) (*v1.ClusterRole, error) {
+				if crErrs.getError != nil {
+					return nil, crErrs.getError
+				}
+				cr, ok := clusterRoles[name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return cr.DeepCopy(), nil
+			},
+			ListFunc: func(namespace string, selector labels.Selector) ([]*v1.ClusterRole, error) {
+				crs := make([]*v1.ClusterRole, len(roleTemplates))
+				for i := range clusterRoles {
+					crs = append(crs, clusterRoles[i])
+				}
+				return crs, nil
+			},
+		},
+		clusterRoles: &fakes2.ClusterRoleInterfaceMock{
+			GetFunc: func(name string, opts metav1.GetOptions) (*v1.ClusterRole, error) {
+				if crErrs.getError != nil {
+					return nil, crErrs.getError
+				}
+				cr, ok := clusterRoles[name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return cr.DeepCopy(), nil
+			},
+			UpdateFunc: func(cr *v1.ClusterRole) (*v1.ClusterRole, error) {
+				if crErrs.updateError != nil {
+					return nil, crErrs.updateError
+				}
+				_, ok := clusterRoles[cr.Name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), cr.Name)
+				}
+				clusterRoles[cr.Name] = cr
+				return clusterRoles[cr.Name].DeepCopy(), nil
+			},
+			CreateFunc: func(cr *v1.ClusterRole) (*v1.ClusterRole, error) {
+				if crErrs.createError != nil {
+					return nil, crErrs.createError
+				}
+				_, ok := clusterRoles[cr.Name]
+				if ok {
+					return nil, errors.NewAlreadyExists(v3.RoleTemplateGroupVersionResource.GroupResource(), cr.Name)
+				}
+				clusterRoles[cr.Name] = cr
+				return clusterRoles[cr.Name].DeepCopy(), nil
+			},
+		},
+		rLister: &fakes2.RoleListerMock{
+			GetFunc: func(namespace string, name string) (*v1.Role, error) {
+				if rErrs.getError != nil {
+					return nil, rErrs.getError
+				}
+				key := fmt.Sprintf("%s:%s", namespace, name)
+				r, ok := roles[key]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return r.DeepCopy(), nil
+			},
+			ListFunc: func(namespace string, selector labels.Selector) ([]*v1.Role, error) {
+				rs := make([]*v1.Role, len(roles))
+				for i := range roles {
+					rs = append(rs, roles[i])
+				}
+				return rs, nil
+			},
+		},
+		roles: &fakes2.RoleInterfaceMock{
+			UpdateFunc: func(r *v1.Role) (*v1.Role, error) {
+				key := fmt.Sprintf("%s:%s", r.Namespace, r.Name)
+				_, ok := roles[key]
+				if ok {
+					return nil, errors.NewAlreadyExists(v3.RoleTemplateGroupVersionResource.GroupResource(), key)
+				}
+				roles[r.Name] = r
+				return roles[r.Name].DeepCopy(), nil
+			},
+			GetNamespacedFunc: func(namespace string, name string, opts metav1.GetOptions) (*v1.Role, error) {
+				key := fmt.Sprintf("%s:%s", namespace, name)
+				r, ok := roles[key]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return r.DeepCopy(), nil
+			},
+		},
+		projectLister: &fakes.ProjectListerMock{
+			ListFunc: func(namespace string, selector labels.Selector) ([]*apimgmtv3.Project, error) {
+				rs := make([]*v3.Project, len(projects))
+				for i := range projects {
+					rs = append(rs, projects[i])
+				}
+				return rs, nil
+			},
+		},
+		clusterName: "testcluster",
 	}
+}
+
+func Test_gatherRoles(t *testing.T) {
+	m := setupManager(recursiveTestRoleTemplates, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{})
+
 	emptyRoleTemplates := make(map[string]*v3.RoleTemplate)
 	type args struct {
 		rt            *v3.RoleTemplate
@@ -44,7 +192,7 @@ func Test_gatherRoles(t *testing.T) {
 		{
 			name: "Non-recursive role, none inherited",
 			args: args{
-				rt:            roles["non-recursive"],
+				rt:            recursiveTestRoleTemplates["non-recursive"],
 				roleTemplates: emptyRoleTemplates,
 				depthCounter:  0,
 			},
@@ -53,7 +201,7 @@ func Test_gatherRoles(t *testing.T) {
 		{
 			name: "Non-recursive role, inherits another",
 			args: args{
-				rt:            roles["inherit non-recursive"],
+				rt:            recursiveTestRoleTemplates["inherit non-recursive"],
 				roleTemplates: emptyRoleTemplates,
 				depthCounter:  0,
 			},
@@ -62,7 +210,7 @@ func Test_gatherRoles(t *testing.T) {
 		{
 			name: "Recursive role",
 			args: args{
-				rt:            roles["recursive1"],
+				rt:            recursiveTestRoleTemplates["recursive1"],
 				roleTemplates: emptyRoleTemplates,
 				depthCounter:  0,
 			},
@@ -72,7 +220,7 @@ func Test_gatherRoles(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := manager.gatherRoles(tt.args.rt, tt.args.roleTemplates, tt.args.depthCounter)
+			err := m.gatherRoles(tt.args.rt, tt.args.roleTemplates, tt.args.depthCounter)
 			if tt.wantErr {
 				assert.Error(t, err, "expected an error, received none")
 			} else {
@@ -81,14 +229,3 @@ func Test_gatherRoles(t *testing.T) {
 		})
 	}
 }
-
-func roleListerGetFunc(ns, name string) (*v3.RoleTemplate, error) {
-	role, ok := roles[name]
-	if !ok {
-		return nil, errors.NewNotFound(schema.GroupResource{
-			Group:    v3.RoleTemplateGroupVersionKind.Group,
-			Resource: v3.RoleTemplateGroupVersionResource.Resource,
-		}, name)
-	}
-	return role, nil
-}
  • pkg/controllers/managementuser/rbac/namespace_handler.go+2 2 modified
    @@ -334,7 +334,7 @@ func (n *nsLifecycle) reconcileNamespaceProjectClusterRole(ns *v1.Namespace) err
 			return err
 		}
 
-		roleCli := n.m.workload.RBAC.ClusterRoles("")
+		roleCli := n.m.clusterRoles
 		nsInDesiredRole := false
 		for _, c := range clusterRoles {
 			cr, ok := c.(*rbacv1.ClusterRole)
@@ -442,7 +442,7 @@ func (n *nsLifecycle) reconcileNamespaceProjectClusterRole(ns *v1.Namespace) err
 }
 
 func (m *manager) createProjectNSRole(roleName, verb, ns, projectName string) error {
-	roleCli := m.workload.RBAC.ClusterRoles("")
+	roleCli := m.clusterRoles
 
 	cr := &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
  • pkg/controllers/managementuser/rbac/namespace_handler_test.go+139 31 modified
    @@ -6,11 +6,13 @@ import (
 
 	"github.com/rancher/rancher/pkg/apis/management.cattle.io"
 	apisV3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
+	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
 	"github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes"
-	"github.com/rancher/rancher/pkg/types/config"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	v1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	apierror "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -177,31 +179,6 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) {
 				},
 				err: test.indexerError,
 			}
-			fakeRBACInterface := &fakeRBAC{
-				clusterRoleFake: fakes.ClusterRoleInterfaceMock{
-					CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-						newRoles = append(newRoles, in)
-						if test.createError != nil {
-							return nil, test.createError
-						}
-						return in, nil
-					},
-					UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-						newRoles = append(newRoles, in)
-						if test.updateError != nil {
-							return nil, test.updateError
-						}
-						return in, nil
-					},
-					DeleteFunc: func(name string, options *metav1.DeleteOptions) error {
-						deletedRoleNames = append(deletedRoleNames, name)
-						if test.deleteError != nil {
-							return test.deleteError
-						}
-						return nil
-					},
-				},
-			}
 			fakeLister := &fakes.ClusterRoleListerMock{
 				GetFunc: func(namespace string, name string) (*rbacv1.ClusterRole, error) {
 					if test.getError != nil {
@@ -218,13 +195,34 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) {
 					}, name)
 				},
 			}
+			fakeClusterRoles := &fakes.ClusterRoleInterfaceMock{
+				CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+					newRoles = append(newRoles, in)
+					if test.createError != nil {
+						return nil, test.createError
+					}
+					return in, nil
+				},
+				UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+					newRoles = append(newRoles, in)
+					if test.updateError != nil {
+						return nil, test.updateError
+					}
+					return in, nil
+				},
+				DeleteFunc: func(name string, options *metav1.DeleteOptions) error {
+					deletedRoleNames = append(deletedRoleNames, name)
+					if test.deleteError != nil {
+						return test.deleteError
+					}
+					return nil
+				},
+			}
 			lifecycle := nsLifecycle{
 				m: &manager{
-					workload: &config.UserContext{
-						RBAC: fakeRBACInterface,
-					},
-					crLister:  fakeLister,
-					crIndexer: &indexer,
+					crLister:     fakeLister,
+					crIndexer:    &indexer,
+					clusterRoles: fakeClusterRoles,
 				},
 			}
 			err := lifecycle.reconcileNamespaceProjectClusterRole(&corev1.Namespace{
@@ -253,6 +251,116 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) {
 
 }
 
+func TestCreateProjectNSRole(t *testing.T) {
+	t.Parallel()
+	crs := make(map[string]*v1.ClusterRole)
+	m := setupManager(make(map[string]*v3.RoleTemplate), crs, make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{})
+	type testCase struct {
+		description   string
+		verb          string
+		namespace     string
+		projectName   string
+		startingCR    *v1.ClusterRole
+		expectedCR    *v1.ClusterRole
+		isErrExpected bool
+		expectedErr   string
+	}
+	testCases := []testCase{
+		{
+			description: "create get role",
+			verb:        "get",
+			projectName: "p-123xyz",
+			expectedCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-readonly",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-readonly",
+					},
+				},
+			},
+		},
+		{
+			description: "create edit role",
+			verb:        "*",
+			projectName: "p-123xyz",
+			expectedCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-edit",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-edit",
+					},
+				},
+				Rules: []v1.PolicyRule{
+					{
+						APIGroups:     []string{"management.cattle.io"},
+						Verbs:         []string{"manage-namespaces"},
+						Resources:     []string{"projects"},
+						ResourceNames: []string{"p-123xyz"},
+					},
+				},
+			},
+		},
+		{
+			description: "do not change role if already exists and return AlreadyExists error",
+			verb:        "*",
+			projectName: "p-123xyz",
+			expectedCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-edit",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-edit",
+					},
+				},
+				Rules: []v1.PolicyRule{
+					{
+						APIGroups:     []string{"management.cattle.io"},
+						Verbs:         []string{"manage-namespaces"},
+						Resources:     []string{"projects"},
+						ResourceNames: []string{"p-123xyz"},
+					},
+				},
+			},
+			startingCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-edit",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-edit",
+					},
+				},
+				Rules: []v1.PolicyRule{
+					{
+						APIGroups:     []string{"management.cattle.io"},
+						Verbs:         []string{"manage-namespaces"},
+						Resources:     []string{"projects"},
+						ResourceNames: []string{"p-123xyz"},
+					},
+				},
+			},
+			isErrExpected: true,
+			expectedErr:   "roletemplates.management.cattle.io \"p-123xyz-namespaces-edit\" already exists",
+		},
+	}
+	for _, test := range testCases {
+		if test.startingCR != nil {
+			crs[test.startingCR.Name] = test.startingCR
+		}
+		err := m.createProjectNSRole(fmt.Sprintf(projectNSGetClusterRoleNameFmt, test.projectName, projectNSVerbToSuffix[test.verb]), test.verb, test.namespace, test.projectName)
+		if test.isErrExpected {
+			assert.NotNil(t, err, test.description)
+		} else {
+			assert.Nil(t, err)
+		}
+		assert.Equal(t, test.expectedCR, crs[test.expectedCR.Name], test.description)
+		delete(crs, test.expectedCR.Name)
+	}
+
+	m = setupManager(make(map[string]*v3.RoleTemplate), crs, make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{createError: errors.NewInternalError(fmt.Errorf("some error"))}, clientErrs{}, clientErrs{})
+	description := "test should return non-AlreadyExists error"
+	err := m.createProjectNSRole(fmt.Sprintf(projectNSGetClusterRoleNameFmt, "p-123xyz", "edit"), "*", "", "p-123xyz")
+	assert.NotNil(t, err, description)
+	assert.Equal(t, "Internal error occurred: some error", err.Error(), description)
+}
+
 func createClusterRoleForProject(projectName string, namespace string, verb string) *rbacv1.ClusterRole {
 	cr := createBaseClusterRoleForProject(projectName, verb)
 	return addNamespaceToClusterRole(namespace, verb, cr)
  • pkg/controllers/managementuser/rbac/project_handler_test.go+14 25 modified
    @@ -7,7 +7,6 @@ import (
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
 	v1 "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1"
 	"github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes"
-	"github.com/rancher/rancher/pkg/types/config"
 	"github.com/stretchr/testify/assert"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apierror "k8s.io/apimachinery/pkg/api/errors"
@@ -103,17 +102,13 @@ func TestCreate(t *testing.T) {
 							}, name)
 						},
 					},
-					workload: &config.UserContext{
-						RBAC: &fakeRBAC{
-							clusterRoleFake: fakes.ClusterRoleInterfaceMock{
-								CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-									newCRs = append(newCRs, in)
-									if test.createErr != nil {
-										return nil, test.createErr
-									}
-									return in, nil
-								},
-							},
+					clusterRoles: &fakes.ClusterRoleInterfaceMock{
+						CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+							newCRs = append(newCRs, in)
+							if test.createErr != nil {
+								return nil, test.createErr
+							}
+							return in, nil
 						},
 					},
 				},
@@ -288,6 +283,13 @@ func TestUpdated(t *testing.T) {
 						},
 					},
 					clusterRoles: &fakes.ClusterRoleInterfaceMock{
+						CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+							newCRs = append(newCRs, in)
+							if test.createError != nil {
+								return nil, test.createError
+							}
+							return in, nil
+						},
 						UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
 							newCRs = append(newCRs, in)
 							if test.updError != nil {
@@ -296,19 +298,6 @@ func TestUpdated(t *testing.T) {
 							return in, nil
 						},
 					},
-					workload: &config.UserContext{
-						RBAC: &fakeRBAC{
-							clusterRoleFake: fakes.ClusterRoleInterfaceMock{
-								CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-									newCRs = append(newCRs, in)
-									if test.createError != nil {
-										return nil, test.createError
-									}
-									return in, nil
-								},
-							},
-						},
-					},
 				},
 			}
 			_, err := lifecycle.Updated(project)
  • pkg/controllers/managementuser/rbac/prtb_handler.go+15 2 modified
    @@ -3,6 +3,7 @@ package rbac
 import (
 	"reflect"
 	"sort"
+	"strings"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/pkg/errors"
@@ -161,7 +162,11 @@ func (p *prtbLifecycle) ensurePRTBDelete(binding *v3.ProjectRoleTemplateBinding)
 }
 
 func (p *prtbLifecycle) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, rts map[string]*v3.RoleTemplate) error {
-	_, err := p.m.reconcileProjectAccessToGlobalResources(binding, rts)
+	roles, err := p.m.ensureGlobalResourcesRolesForPRTB(parseProjectName(binding.ProjectName), rts)
+	if err != nil {
+		return err
+	}
+	_, err = p.m.reconcileProjectAccessToGlobalResources(binding, roles)
 	if err != nil {
 		return err
 	}
@@ -277,7 +282,7 @@ func (m *manager) checkForGlobalResourceRules(role *v3.RoleTemplate, resource st
 
 // Ensure the clusterRole used to grant access of global resources to users/groups in projects has appropriate rules for the given resource and verbs
 func (m *manager) reconcileRoleForProjectAccessToGlobalResource(resource string, rt *v3.RoleTemplate, newVerbs map[string]bool, baseRule rbacv1.PolicyRule) (string, error) {
-	clusterRoles := m.workload.RBAC.ClusterRoles("")
+	clusterRoles := m.clusterRoles
 	roleName := rt.Name + "-promoted"
 	if role, err := m.crLister.Get("", roleName); err == nil && role != nil {
 		currentVerbs := map[string]bool{}
@@ -465,3 +470,11 @@ func (p *prtbLifecycle) reconcilePRTBUserClusterLabels(binding *v3.ProjectRoleTe
 	})
 	return retryErr
 }
+
+func parseProjectName(id string) string {
+	parts := strings.SplitN(id, ":", 2)
+	if len(parts) != 2 || len(parts[1]) == 0 {
+		return ""
+	}
+	return parts[1]
+}
  • pkg/controllers/managementuser/rbac/reconcile_roletemplate.go+60 57 modified
    @@ -2,7 +2,6 @@ package rbac
 
 import (
 	"fmt"
-	"strings"
 
 	"github.com/rancher/norman/types/slice"
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
@@ -13,68 +12,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, rts map[string]*v3.RoleTemplate) (map[string]bool, error) {
-	var role string
-	var createNSPerms bool
-	var roles []string
-	if parts := strings.SplitN(binding.ProjectName, ":", 2); len(parts) == 2 && len(parts[1]) > 0 {
-		projectName := parts[1]
-		var roleVerb, roleSuffix string
-		for _, r := range rts {
-			for _, rule := range r.Rules {
-				if slice.ContainsString(rule.Resources, "namespaces") && len(rule.ResourceNames) == 0 {
-					if slice.ContainsString(rule.Verbs, "*") || slice.ContainsString(rule.Verbs, "create") {
-						roleVerb = "*"
-						createNSPerms = true
-						break
-					}
-				}
-
-			}
-		}
-		if roleVerb == "" {
-			roleVerb = "get"
-		}
-		roleSuffix = projectNSVerbToSuffix[roleVerb]
-		role = fmt.Sprintf(projectNSGetClusterRoleNameFmt, projectName, roleSuffix)
-		roles = append(roles, role)
-
-		for _, rt := range rts {
-			for resource, baseRule := range globalResourceRulesNeededInProjects {
-				verbs, err := m.checkForGlobalResourceRules(rt, resource, baseRule)
-				if err != nil {
-					return nil, err
-				}
-				if len(verbs) > 0 {
-					roleName, err := m.reconcileRoleForProjectAccessToGlobalResource(resource, rt, verbs, baseRule)
-					if err != nil {
-						return nil, err
-					}
-					roles = append(roles, roleName)
-				}
-			}
-		}
-	}
-
+func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, roles []string) (map[string]bool, error) {
 	if len(roles) == 0 {
 		return nil, nil
 	}
 
 	bindingCli := m.workload.RBAC.ClusterRoleBindings("")
 
-	if createNSPerms {
-		roles = append(roles, "create-ns")
-		if nsRole, _ := m.crLister.Get("", "create-ns"); nsRole == nil {
-			createNSRT, err := m.rtLister.Get("", "create-ns")
-			if err != nil {
-				return nil, err
-			}
-			if err := m.ensureRoles(map[string]*v3.RoleTemplate{"create-ns": createNSRT}); err != nil && !apierrors.IsAlreadyExists(err) {
-				return nil, err
-			}
-		}
-	}
-
 	rtbUID := pkgrbac.GetRTBLabel(binding.ObjectMeta)
 	subject, err := pkgrbac.BuildSubjectFromRTB(binding)
 	if err != nil {
@@ -147,3 +91,62 @@ func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRol
 
 	return crbsToKeep, nil
 }
+
+// EnsureGlobalResourcesRolesForPRTB ensures that all necessary roles exist and contain the rules needed to
+// enforce permissions described by RoleTemplate rules. A slice of strings indicating role names is returned.
+func (m *manager) ensureGlobalResourcesRolesForPRTB(projectName string, rts map[string]*v3.RoleTemplate) ([]string, error) {
+	var role string
+	var roles []string
+
+	if projectName == "" {
+		return nil, nil
+	}
+
+	var roleVerb, roleSuffix string
+	for _, r := range rts {
+		for _, rule := range r.Rules {
+			hasNamespaceResources := slice.ContainsString(rule.Resources, "namespaces") || slice.ContainsString(rule.Resources, "*")
+			hasNamespaceGroup := slice.ContainsString(rule.APIGroups, "") || slice.ContainsString(rule.APIGroups, "*")
+			if hasNamespaceGroup && hasNamespaceResources && len(rule.ResourceNames) == 0 {
+				if slice.ContainsString(rule.Verbs, "*") || slice.ContainsString(rule.Verbs, "create") {
+					roleVerb = "*"
+					roles = append(roles, "create-ns")
+					if nsRole, _ := m.crLister.Get("", "create-ns"); nsRole == nil {
+						createNSRT, err := m.rtLister.Get("", "create-ns")
+						if err != nil {
+							return nil, err
+						}
+						if err := m.ensureRoles(map[string]*v3.RoleTemplate{"create-ns": createNSRT}); err != nil && !apierrors.IsAlreadyExists(err) {
+							return nil, err
+						}
+					}
+					break
+				}
+			}
+
+		}
+	}
+	if roleVerb == "" {
+		roleVerb = "get"
+	}
+	roleSuffix = projectNSVerbToSuffix[roleVerb]
+	role = fmt.Sprintf(projectNSGetClusterRoleNameFmt, projectName, roleSuffix)
+	roles = append(roles, role)
+
+	for _, rt := range rts {
+		for resource, baseRule := range globalResourceRulesNeededInProjects {
+			verbs, err := m.checkForGlobalResourceRules(rt, resource, baseRule)
+			if err != nil {
+				return nil, err
+			}
+			if len(verbs) > 0 {
+				roleName, err := m.reconcileRoleForProjectAccessToGlobalResource(resource, rt, verbs, baseRule)
+				if err != nil {
+					return nil, err
+				}
+				roles = append(roles, roleName)
+			}
+		}
+	}
+	return roles, nil
+}
  • pkg/controllers/managementuser/rbac/reconcile_roletemplate_test.go+255 0 added
    @@ -0,0 +1,255 @@
+package rbac
+
+import (
+	"testing"
+
+	"github.com/pkg/errors"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+
+	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestEnsureGlobalResourcesRolesForPRTB(t *testing.T) {
+	t.Parallel()
+	m := setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{})
+	type testCase struct {
+		description   string
+		projectName   string
+		roleTemplates map[string]*v3.RoleTemplate
+		expectedRoles []string
+		isErrExpected bool
+	}
+	testCases := []testCase{
+		{
+			description:   "global resource rule should grant namespace read",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt1": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt1",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{""},
+							Resources: []string{"configmaps"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "namespace create rule should grant create-ns and a namespaces-edit role",
+			projectName:   "testproject",
+			expectedRoles: []string{"create-ns", "testproject-namespaces-edit"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt2": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt2",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"create"},
+							APIGroups: []string{""},
+							Resources: []string{"namespaces"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "namespace create rule for other API group should grant namespaces-read role only",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt3": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt3",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"create"},
+							APIGroups: []string{"some.other.apigroup"},
+							Resources: []string{"namespaces"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "namespace * rule for other API group should grant namespaces-read role only",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt4": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt4",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"some.other.apigroup"},
+							Resources: []string{"namespaces"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "global resource rule result in promoted role returned",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly", "testrt5-promoted"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt5": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt5",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"catalog.cattle.io"},
+							Resources: []string{"clusterrepos"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "empty project name will result in no roles returned",
+			projectName:   "",
+			expectedRoles: nil,
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt6": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt6",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"catalog.cattle.io"},
+							Resources: []string{"clusterrepos"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "* resources and non-core APIGroup should only result in namespace-readonly role",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt7": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt7",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"some.other.apigroup"},
+							Resources: []string{"*"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description: "* resources and * APIGroup should only result in namespace-readonly and promoted role",
+			projectName: "testproject",
+			// at the time of adding these tests ensureGlobalResourceRoleForPRTB returns duplicate promoted roles
+			// names per applicable rule found in globalResourceRulesNeededInProjects. This is not incompatible with
+			// current reconcile logic but should be fixed in the future.
+			expectedRoles: []string{"create-ns", "testproject-namespaces-edit", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt8": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt8",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"*"},
+							Resources: []string{"*"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "* resources and core (\"\") APIGroup should only result in namespace-readonly and promoted role",
+			projectName:   "testproject",
+			expectedRoles: []string{"create-ns", "testproject-namespaces-edit", "testrt9-promoted", "testrt9-promoted"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt9": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt9",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{""},
+							Resources: []string{"*"},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.description, func(t *testing.T) {
+			t.Parallel()
+			roles, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+			assert.Nil(t, err)
+			assert.Equal(t, test.expectedRoles, roles, test.description)
+		})
+	}
+
+	test := testCase{
+		projectName:   "testproject",
+		expectedRoles: []string{"create-ns", "testproject-namespaces-edit"},
+		roleTemplates: map[string]*v3.RoleTemplate{
+			"testrt": {
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "testrt",
+				},
+				Rules: []v1.PolicyRule{
+					{
+						Verbs:     []string{"create"},
+						APIGroups: []string{""},
+						Resources: []string{"namespaces"},
+					},
+				},
+			},
+		},
+	}
+	m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{getError: errNotFound}, clientErrs{})
+	test1 := test
+	test1.description = "error return when RoleTemplate client returns error"
+	t.Run(test.description, func(t *testing.T) {
+		t.Parallel()
+		_, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+		assert.NotNil(t, err)
+	})
+	m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{createError: errAlreadyExist})
+	test2 := test
+	test2.description = "error return when Role client returns error"
+	t.Run(test.description, func(t *testing.T) {
+		t.Parallel()
+		_, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+		assert.NotNil(t, err)
+	})
+	m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{getError: apierrors.NewInternalError(errors.New("error"))}, clientErrs{}, clientErrs{})
+	test3 := test
+	test3.description = "error return when ClusterRole client returns error and RoleTemplate is external"
+	test3.roleTemplates["testrt"].External = true
+	t.Run(test.description, func(t *testing.T) {
+		t.Parallel()
+		_, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+		assert.NotNil(t, err)
+	})
+}
  • pkg/controllers/managementuser/rbac/roletemplate_handler.go+10 6 modified
    @@ -68,18 +68,18 @@ func (c *rtSync) sync(key string, obj *v3.RoleTemplate) (runtime.Object, error)
 }
 
 func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []interface{}, crtbs []interface{}) error {
-	roles := map[string]*v3.RoleTemplate{}
-	if err := c.m.gatherRoles(template, roles, 0); err != nil {
+	roleTemplates := map[string]*v3.RoleTemplate{}
+	if err := c.m.gatherRoles(template, roleTemplates, 0); err != nil {
 		return err
 	}
 
-	if err := c.m.ensureRoles(roles); err != nil {
+	if err := c.m.ensureRoles(roleTemplates); err != nil {
 		return errors.Wrapf(err, "couldn't ensure roles")
 	}
 
 	rolesToKeep := make(map[string]bool)
 	if usedInProjects {
-		for _, rt := range roles {
+		for _, rt := range roleTemplates {
 			for resource, baseRule := range globalResourceRulesNeededInProjects {
 				verbs, err := c.m.checkForGlobalResourceRules(rt, resource, baseRule)
 				if err != nil {
@@ -102,6 +102,10 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 			continue
 		}
 
+		roles, err := c.m.ensureGlobalResourcesRolesForPRTB(parseProjectName(prtb.ProjectName), roleTemplates)
+		if err != nil {
+			return err
+		}
 		crbsToKeep, err := c.m.reconcileProjectAccessToGlobalResources(prtb, roles)
 		if err != nil {
 			return err
@@ -131,7 +135,7 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 			if !ns.DeletionTimestamp.IsZero() {
 				continue
 			}
-			if err := c.m.ensureProjectRoleBindings(ns.Name, roles, prtb); err != nil {
+			if err := c.m.ensureProjectRoleBindings(ns.Name, roleTemplates, prtb); err != nil {
 				return errors.Wrapf(err, "couldn't ensure binding %v in %v", prtb.Name, ns.Name)
 			}
 		}
@@ -142,7 +146,7 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 		if !ok {
 			continue
 		}
-		if err := c.m.ensureClusterBindings(roles, crtb); err != nil {
+		if err := c.m.ensureClusterBindings(roleTemplates, crtb); err != nil {
 			return err
 		}
 	}
  • pkg/generated/clientset/versioned/clientset.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/fake/clientset_generated.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/fake/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/fake/register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/scheme/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/scheme/register.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/app.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/catalog.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/clusterrepo.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/fake/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/fake/fake_app.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/fake/fake_catalog.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/fake/fake_clusterrepo.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/fake/fake_operation.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/generated_expansion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/catalog.cattle.io/v1/operation.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/fake/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/fake/fake_cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/fake/fake_provisioning.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/generated_expansion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/provisioning.cattle.io/v1/provisioning.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/custommachine.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/etcdsnapshot.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_custommachine.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_etcdsnapshot.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_rkebootstrap.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_rkebootstraptemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_rke.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_rkecluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/fake/fake_rkecontrolplane.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/generated_expansion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/rkebootstrap.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/rkebootstraptemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/rke.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/rkecluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/rke.cattle.io/v1/rkecontrolplane.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/fake/doc.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/fake/fake_plan.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/fake/fake_upgrade.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/generated_expansion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/plan.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/clientset/versioned/typed/upgrade.cattle.io/v1/upgrade.cattle.io_client.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/v1/app.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/v1/clusterrepo.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/v1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/catalog.cattle.io/v1/operation.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.cattle.io/v3/clusterauthtoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.cattle.io/v3/clusteruserattribute.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.cattle.io/v3/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/v1beta1/cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/v1beta1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/v1beta1/machinedeployment.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/v1beta1/machine.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/cluster.x-k8s.io/v1beta1/machineset.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/v1alpha1/bundle.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/v1alpha1/cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/v1alpha1/clustergroup.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/fleet.cattle.io/v1alpha1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/activedirectoryprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/apiservice.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/authconfig.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/authprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/authtoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/azureadprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/catalog.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/catalogtemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/catalogtemplateversion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/cloudcredential.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusteralert.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusteralertgroup.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusteralertrule.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clustercatalog.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusterlogging.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clustermonitorgraph.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusterregistrationtoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clusterroletemplatebinding.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clustertemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/clustertemplaterevision.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/composeconfig.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/dynamicschema.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/etcdbackup.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/feature.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/fleetworkspace.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/freeipaprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/githubprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/globaldns.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/globaldnsprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/globalrolebinding.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/globalrole.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/googleoauthprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/group.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/groupmember.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/kontainerdriver.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/localprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/managedchart.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/monitormetric.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/multiclusterapp.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/multiclusterapprevision.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/nodedriver.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/node.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/nodepool.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/nodetemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/notifier.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/oidcprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/openldapprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/podsecurityadmissionconfigurationtemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/podsecuritypolicytemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/podsecuritypolicytemplateprojectbinding.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/preference.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/principal.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectalert.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectalertgroup.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectalertrule.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectcatalog.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/project.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectlogging.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectmonitorgraph.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectnetworkpolicy.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/projectroletemplatebinding.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/rancherusernotification.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/rkeaddon.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/rkek8sserviceoption.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/rkek8ssystemimage.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/roletemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/samlprovider.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/samltoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/setting.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/templatecontent.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/template.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/templateversion.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/token.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/userattribute.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/management.cattle.io/v3/user.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/app.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/apprevision.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/basicauth.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/certificate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/dockercredential.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/namespacedbasicauth.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/namespacedcertificate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/namespaceddockercredential.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/namespacedserviceaccounttoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/namespacedsshauth.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/serviceaccounttoken.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/sshauth.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/project.cattle.io/v3/workload.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/provisioning.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/provisioning.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/provisioning.cattle.io/v1/cluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/provisioning.cattle.io/v1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/custommachine.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/etcdsnapshot.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/rkebootstrap.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/rkebootstraptemplate.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/rkecluster.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/rke.cattle.io/v1/rkecontrolplane.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/ui.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/ui.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/ui.cattle.io/v1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/ui.cattle.io/v1/navlink.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/upgrade.cattle.io/factory.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/upgrade.cattle.io/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/upgrade.cattle.io/v1/interface.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/generated/controllers/upgrade.cattle.io/v1/plan.go+1 1 modified
    @@ -1,5 +1,5 @@
 /*
-Copyright 2023 Rancher Labs, Inc.
+Copyright 2024 Rancher Labs, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
  • pkg/settings/setting.go+1 1 modified
    @@ -109,7 +109,7 @@ var (
 	WhitelistDomain                     = NewSetting("whitelist-domain", "forums.rancher.com")
 	WhitelistEnvironmentVars            = NewSetting("whitelist-envvars", "HTTP_PROXY,HTTPS_PROXY,NO_PROXY")
 	AuthUserInfoResyncCron              = NewSetting("auth-user-info-resync-cron", "0 0 * * *")
-	APIUIVersion                        = NewSetting("api-ui-version", "1.1.10")              // Please update the CATTLE_API_UI_VERSION in package/Dockerfile when updating the version here.
+	APIUIVersion                        = NewSetting("api-ui-version", "1.1.11")              // Please update the CATTLE_API_UI_VERSION in package/Dockerfile when updating the version here.
 	RotateCertsIfExpiringInDays         = NewSetting("rotate-certs-if-expiring-in-days", "7") // 7 days
 	ClusterTemplateEnforcement          = NewSetting("cluster-template-enforcement", "false")
 	InitialDockerRootDir                = NewSetting("initial-docker-root-dir", "/var/lib/docker")
  • tests/framework/clients/rancher/generated/management/v3/zz_generated_aci_network_provider.go+12 8 modified
    @@ -3,18 +3,15 @@ package client
 const (
 	AciNetworkProviderType                                      = "aciNetworkProvider"
 	AciNetworkProviderFieldAEP                                  = "aep"
-	AciNetworkProviderFieldAccProvisionOperatorMemoryLimit      = "accProvisionOperatorMemoryLimit"
-	AciNetworkProviderFieldAccProvisionOperatorMemoryRequest    = "accProvisionOperatorMemoryRequest"
 	AciNetworkProviderFieldAciContainersControllerMemoryLimit   = "aciContainersControllerMemoryLimit"
 	AciNetworkProviderFieldAciContainersControllerMemoryRequest = "aciContainersControllerMemoryRequest"
 	AciNetworkProviderFieldAciContainersHostMemoryLimit         = "aciContainersHostMemoryLimit"
 	AciNetworkProviderFieldAciContainersHostMemoryRequest       = "aciContainersHostMemoryRequest"
 	AciNetworkProviderFieldAciContainersMemoryLimit             = "aciContainersMemoryLimit"
 	AciNetworkProviderFieldAciContainersMemoryRequest           = "aciContainersMemoryRequest"
-	AciNetworkProviderFieldAciContainersOperatorMemoryLimit     = "aciContainersOperatorMemoryLimit"
-	AciNetworkProviderFieldAciContainersOperatorMemoryRequest   = "aciContainersOperatorMemoryRequest"
 	AciNetworkProviderFieldAciMultipod                          = "aciMultipod"
 	AciNetworkProviderFieldAciMultipodUbuntu                    = "aciMultipodUbuntu"
+	AciNetworkProviderFieldAddExternalContractToDefaultEpg      = "addExternalContractToDefaultEpg"
 	AciNetworkProviderFieldAddExternalSubnetsToRdconfig         = "addExternalSubnetsToRdconfig"
 	AciNetworkProviderFieldApicHosts                            = "apicHosts"
 	AciNetworkProviderFieldApicRefreshTickerAdjust              = "apicRefreshTickerAdjust"
@@ -33,6 +30,7 @@ const (
 	AciNetworkProviderFieldDurationWaitForNetwork               = "durationWaitForNetwork"
 	AciNetworkProviderFieldDynamicExternalSubnet                = "externDynamic"
 	AciNetworkProviderFieldEnableEndpointSlice                  = "enableEndpointSlice"
+	AciNetworkProviderFieldEnableOpflexAgentReconnect           = "enableOpflexAgentReconnect"
 	AciNetworkProviderFieldEncapType                            = "encapType"
 	AciNetworkProviderFieldEpRegistry                           = "epRegistry"
 	AciNetworkProviderFieldGbpPodSubnet                         = "gbpPodSubnet"
@@ -59,6 +57,7 @@ const (
 	AciNetworkProviderFieldNoPriorityClass                      = "noPriorityClass"
 	AciNetworkProviderFieldNoWaitForServiceEpReadiness          = "noWaitForServiceEpReadiness"
 	AciNetworkProviderFieldNodePodIfEnable                      = "nodePodIfEnable"
+	AciNetworkProviderFieldNodeSnatRedirectExclude              = "nodeSnatRedirectExclude"
 	AciNetworkProviderFieldNodeSubnet                           = "nodeSubnet"
 	AciNetworkProviderFieldOVSMemoryLimit                       = "ovsMemoryLimit"
 	AciNetworkProviderFieldOVSMemoryRequest                     = "ovsMemoryRequest"
@@ -68,10 +67,12 @@ const (
 	AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled    = "opflexAgentOpflexAsyncjsonEnabled"
 	AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled       = "opflexAgentOvsAsyncjsonEnabled"
 	AciNetworkProviderFieldOpflexAgentPolicyRetryDelayTimer     = "opflexAgentPolicyRetryDelayTimer"
+	AciNetworkProviderFieldOpflexAgentStatistics                = "opflexAgentStatistics"
 	AciNetworkProviderFieldOpflexClientSSL                      = "opflexClientSsl"
 	AciNetworkProviderFieldOpflexDeviceDeleteTimeout            = "opflexDeviceDeleteTimeout"
 	AciNetworkProviderFieldOpflexDeviceReconnectWaitTimeout     = "opflexDeviceReconnectWaitTimeout"
 	AciNetworkProviderFieldOpflexMode                           = "opflexMode"
+	AciNetworkProviderFieldOpflexOpensslCompat                  = "opflexOpensslCompat"
 	AciNetworkProviderFieldOpflexServerPort                     = "opflexServerPort"
 	AciNetworkProviderFieldOverlayVRFName                       = "overlayVrfName"
 	AciNetworkProviderFieldPBRTrackingNonSnat                   = "pbrTrackingNonSnat"
@@ -95,6 +96,7 @@ const (
 	AciNetworkProviderFieldSystemIdentifier                     = "systemId"
 	AciNetworkProviderFieldTenant                               = "tenant"
 	AciNetworkProviderFieldToken                                = "token"
+	AciNetworkProviderFieldTolerationSeconds                    = "tolerationSeconds"
 	AciNetworkProviderFieldUseAciAnywhereCRD                    = "useAciAnywhereCrd"
 	AciNetworkProviderFieldUseAciCniPriorityClass               = "useAciCniPriorityClass"
 	AciNetworkProviderFieldUseClusterRole                       = "useClusterRole"
@@ -110,18 +112,15 @@ const (
 
 type AciNetworkProvider struct {
 	AEP                                  string              `json:"aep,omitempty" yaml:"aep,omitempty"`
-	AccProvisionOperatorMemoryLimit      string              `json:"accProvisionOperatorMemoryLimit,omitempty" yaml:"accProvisionOperatorMemoryLimit,omitempty"`
-	AccProvisionOperatorMemoryRequest    string              `json:"accProvisionOperatorMemoryRequest,omitempty" yaml:"accProvisionOperatorMemoryRequest,omitempty"`
 	AciContainersControllerMemoryLimit   string              `json:"aciContainersControllerMemoryLimit,omitempty" yaml:"aciContainersControllerMemoryLimit,omitempty"`
 	AciContainersControllerMemoryRequest string              `json:"aciContainersControllerMemoryRequest,omitempty" yaml:"aciContainersControllerMemoryRequest,omitempty"`
 	AciContainersHostMemoryLimit         string              `json:"aciContainersHostMemoryLimit,omitempty" yaml:"aciContainersHostMemoryLimit,omitempty"`
 	AciContainersHostMemoryRequest       string              `json:"aciContainersHostMemoryRequest,omitempty" yaml:"aciContainersHostMemoryRequest,omitempty"`
 	AciContainersMemoryLimit             string              `json:"aciContainersMemoryLimit,omitempty" yaml:"aciContainersMemoryLimit,omitempty"`
 	AciContainersMemoryRequest           string              `json:"aciContainersMemoryRequest,omitempty" yaml:"aciContainersMemoryRequest,omitempty"`
-	AciContainersOperatorMemoryLimit     string              `json:"aciContainersOperatorMemoryLimit,omitempty" yaml:"aciContainersOperatorMemoryLimit,omitempty"`
-	AciContainersOperatorMemoryRequest   string              `json:"aciContainersOperatorMemoryRequest,omitempty" yaml:"aciContainersOperatorMemoryRequest,omitempty"`
 	AciMultipod                          string              `json:"aciMultipod,omitempty" yaml:"aciMultipod,omitempty"`
 	AciMultipodUbuntu                    string              `json:"aciMultipodUbuntu,omitempty" yaml:"aciMultipodUbuntu,omitempty"`
+	AddExternalContractToDefaultEpg      string              `json:"addExternalContractToDefaultEpg,omitempty" yaml:"addExternalContractToDefaultEpg,omitempty"`
 	AddExternalSubnetsToRdconfig         string              `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"`
 	ApicHosts                            []string            `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"`
 	ApicRefreshTickerAdjust              string              `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"`
@@ -140,6 +139,7 @@ type AciNetworkProvider struct {
 	DurationWaitForNetwork               string              `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"`
 	DynamicExternalSubnet                string              `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"`
 	EnableEndpointSlice                  string              `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"`
+	EnableOpflexAgentReconnect           string              `json:"enableOpflexAgentReconnect,omitempty" yaml:"enableOpflexAgentReconnect,omitempty"`
 	EncapType                            string              `json:"encapType,omitempty" yaml:"encapType,omitempty"`
 	EpRegistry                           string              `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"`
 	GbpPodSubnet                         string              `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"`
@@ -166,6 +166,7 @@ type AciNetworkProvider struct {
 	NoPriorityClass                      string              `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"`
 	NoWaitForServiceEpReadiness          string              `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"`
 	NodePodIfEnable                      string              `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"`
+	NodeSnatRedirectExclude              []map[string]string `json:"nodeSnatRedirectExclude,omitempty" yaml:"nodeSnatRedirectExclude,omitempty"`
 	NodeSubnet                           string              `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"`
 	OVSMemoryLimit                       string              `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"`
 	OVSMemoryRequest                     string              `json:"ovsMemoryRequest,omitempty" yaml:"ovsMemoryRequest,omitempty"`
@@ -175,10 +176,12 @@ type AciNetworkProvider struct {
 	OpflexAgentOpflexAsyncjsonEnabled    string              `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"`
 	OpflexAgentOvsAsyncjsonEnabled       string              `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"`
 	OpflexAgentPolicyRetryDelayTimer     string              `json:"opflexAgentPolicyRetryDelayTimer,omitempty" yaml:"opflexAgentPolicyRetryDelayTimer,omitempty"`
+	OpflexAgentStatistics                string              `json:"opflexAgentStatistics,omitempty" yaml:"opflexAgentStatistics,omitempty"`
 	OpflexClientSSL                      string              `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"`
 	OpflexDeviceDeleteTimeout            string              `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"`
 	OpflexDeviceReconnectWaitTimeout     string              `json:"opflexDeviceReconnectWaitTimeout,omitempty" yaml:"opflexDeviceReconnectWaitTimeout,omitempty"`
 	OpflexMode                           string              `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"`
+	OpflexOpensslCompat                  string              `json:"opflexOpensslCompat,omitempty" yaml:"opflexOpensslCompat,omitempty"`
 	OpflexServerPort                     string              `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"`
 	OverlayVRFName                       string              `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"`
 	PBRTrackingNonSnat                   string              `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"`
@@ -202,6 +205,7 @@ type AciNetworkProvider struct {
 	SystemIdentifier                     string              `json:"systemId,omitempty" yaml:"systemId,omitempty"`
 	Tenant                               string              `json:"tenant,omitempty" yaml:"tenant,omitempty"`
 	Token                                string              `json:"token,omitempty" yaml:"token,omitempty"`
+	TolerationSeconds                    string              `json:"tolerationSeconds,omitempty" yaml:"tolerationSeconds,omitempty"`
 	UseAciAnywhereCRD                    string              `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"`
 	UseAciCniPriorityClass               string              `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"`
 	UseClusterRole                       string              `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"`
  • tests/v2/codecoverage/package/Dockerfile+1 1 modified
    @@ -171,7 +171,7 @@ ENV CATTLE_CLI_VERSION v2.7.7
 ENV CATTLE_BASE_UI_BRAND=
 
 # Please update the api-ui-version in pkg/settings/settings.go when updating the version here.
-ENV CATTLE_API_UI_VERSION 1.1.10
+ENV CATTLE_API_UI_VERSION 1.1.11
 
 RUN mkdir -p /var/log/auditlog
 ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log
2f7113dc32d4

[2.8] Fixes (#44334)

https://github.com/rancher/rancherPeter MatseykanetsFeb 5, 2024via ghsa
commit
21 files changed · +741 199
  • go.mod+6 4 modified
    @@ -14,6 +14,8 @@ replace (
 	github.com/matryer/moq => github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77
 	github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.1.0-rc2 // needed for containers/image/v5
 
+	github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.12
+
 	github.com/rancher/rancher/pkg/apis => ./pkg/apis
 	github.com/rancher/rancher/pkg/client => ./pkg/client
 
@@ -109,7 +111,7 @@ require (
 	github.com/prometheus/client_model v0.4.0
 	github.com/prometheus/common v0.44.0
 	github.com/rancher/aks-operator v1.2.0
-	github.com/rancher/apiserver v0.0.0-20230831052300-120e615b17ba
+	github.com/rancher/apiserver v0.0.0-20240205154815-a3b9e3721c1b
 	github.com/rancher/channelserver v0.5.1-0.20230719220800-0a37b73c7df8
 	github.com/rancher/dynamiclistener v0.3.6
 	github.com/rancher/eks-operator v1.3.0
@@ -118,10 +120,10 @@ require (
 	github.com/rancher/kubernetes-provider-detector v0.1.5
 	github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29
 	github.com/rancher/machine v0.15.0-rancher106
-	github.com/rancher/norman v0.0.0-20230831160711-5de27f66385d
+	github.com/rancher/norman v0.0.0-20240205154641-a6a6cf569608
 	github.com/rancher/rancher/pkg/client v0.0.0
 	github.com/rancher/remotedialer v0.3.0
-	github.com/rancher/rke v1.5.2
+	github.com/rancher/rke v1.5.3
 	github.com/rancher/steve v0.0.0-20231016202603-993540401906
 	github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007
 	github.com/rancher/wrangler v1.1.1
@@ -269,7 +271,7 @@ require (
 	github.com/containerd/containerd v1.7.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/docker/cli v23.0.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
  • go.sum+10 10 modified
    @@ -249,8 +249,8 @@ github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc=
 github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA=
 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 h1:vU+EP9ZuFUCYE0NYLwTSob+3LNEJATzNfP/DC7SWGWI=
 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
-github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
-github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -918,8 +918,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034=
 github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
-github.com/opencontainers/runc v1.1.9 h1:XR0VIHTGce5eWPkaPesqTBrhW2yAcaraWfsEalNwQLM=
-github.com/opencontainers/runc v1.1.9/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
+github.com/opencontainers/runc v1.1.12 h1:BOIssBaW1La0/qbNZHXOOa71dZfZEQOzW7dqQf3phss=
+github.com/opencontainers/runc v1.1.12/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8=
 github.com/opencontainers/runtime-spec v1.1.0-rc.1 h1:wHa9jroFfKGQqFHj0I1fMRKLl0pfj+ynAqBxo3v6u9w=
 github.com/opencontainers/runtime-spec v1.1.0-rc.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
@@ -1003,8 +1003,8 @@ github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPH
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rancher/aks-operator v1.2.0 h1:cNB84j23Ng7GUkqIt8I1TUfkpPdA5SQ2uyosPNJM5G4=
 github.com/rancher/aks-operator v1.2.0/go.mod h1:CIU0AgI4DHYKEG3P3tHyEM/5QEud7upDOiYL6j5D/qE=
-github.com/rancher/apiserver v0.0.0-20230831052300-120e615b17ba h1:ceAHvddZkuNbUTuMgqxYAcUSQ/+YtJQO9Z1PHjmQZBY=
-github.com/rancher/apiserver v0.0.0-20230831052300-120e615b17ba/go.mod h1:1m5KKYXq6iMZFQ5kiC9rBgVLfGRNR8E+lp88f5tEAsI=
+github.com/rancher/apiserver v0.0.0-20240205154815-a3b9e3721c1b h1:dEKz4mxmTA9fGGRTPyhFHCOZV+Ap2s6I9l8mrLz+w5M=
+github.com/rancher/apiserver v0.0.0-20240205154815-a3b9e3721c1b/go.mod h1:1m5KKYXq6iMZFQ5kiC9rBgVLfGRNR8E+lp88f5tEAsI=
 github.com/rancher/aws-iam-authenticator v0.5.9-0.20220713170329-78acb8c83863 h1:7cVEMgwyiVhLyu/Ywuw58mkkh9cWpFE3+X8IrWncBxU=
 github.com/rancher/aws-iam-authenticator v0.5.9-0.20220713170329-78acb8c83863/go.mod h1:6dId2LCc8oHqeBzP6E8ndp4DflhKTxYLb5ZXwI4YmFA=
 github.com/rancher/channelserver v0.5.1-0.20230719220800-0a37b73c7df8 h1:Dyg8vyYMBIImru9mo8EF40yRgNgGQQOpC/aA2vZ/SXY=
@@ -1029,12 +1029,12 @@ github.com/rancher/machine v0.15.0-rancher106 h1:X7i+sqkvFilwTw0KQK4oiC813xm8UbL
 github.com/rancher/machine v0.15.0-rancher106/go.mod h1:nDJPIUiUO1a+HZ2lxpX95Djo7hJminwW6icga9FRc+w=
 github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77 h1:k+vzmkZQsH06rZnDr+phskSixG9ByNj9gVdzHcc8nxw=
 github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77/go.mod h1:wpITyDPTi/Na5h73XkbuEf2AP9fbgrIGqqxVzFhYD6U=
-github.com/rancher/norman v0.0.0-20230831160711-5de27f66385d h1:Ft/iTH91TlE2oBGmpkdO4I8o8cvUmCnytdwu52a/tN4=
-github.com/rancher/norman v0.0.0-20230831160711-5de27f66385d/go.mod h1:Sm2Xqai+aecgmJ86ygyEe+TdPMLkauEpykSstBAu4Ko=
+github.com/rancher/norman v0.0.0-20240205154641-a6a6cf569608 h1:azL/n2grvuyGqmDvnpgRoH6mmpgodiGwjv1uZwiO7HE=
+github.com/rancher/norman v0.0.0-20240205154641-a6a6cf569608/go.mod h1:Sm2Xqai+aecgmJ86ygyEe+TdPMLkauEpykSstBAu4Ko=
 github.com/rancher/remotedialer v0.3.0 h1:y1EO8JCsgZo0RcqTUp6U8FXcBAv27R+TLnWRcpvX1sM=
 github.com/rancher/remotedialer v0.3.0/go.mod h1:BwwztuvViX2JrLLUwDlsYt5DiyUwHLlzynRwkZLAY0Q=
-github.com/rancher/rke v1.5.2 h1:e//fEtK2QIZ8Ok3d8oOrCPSQ2hVfJH46P46cvbfuS8U=
-github.com/rancher/rke v1.5.2/go.mod h1:wZaVWzW46OTuGvyxgRHXGUyJ/QP0zOkKESO9hBOwTaY=
+github.com/rancher/rke v1.5.3 h1:7mGn+NIL7KXk99NwWYBgoByh2+IfVCdws5ad3X/JIZY=
+github.com/rancher/rke v1.5.3/go.mod h1:wZaVWzW46OTuGvyxgRHXGUyJ/QP0zOkKESO9hBOwTaY=
 github.com/rancher/steve v0.0.0-20231016202603-993540401906 h1:gToXZxM/5S5lze/vCpQs50PJ33QTGCOaJHzjYh6y1RE=
 github.com/rancher/steve v0.0.0-20231016202603-993540401906/go.mod h1:IAeZiWgZLSGGlYOUa3qj/G6i1eKl2LFuZ/DKb9mIrzw=
 github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007 h1:ru+mqGnxMmKeU0Q3XIDxkARvInDIqT1hH2amTcsjxI4=
  • package/Dockerfile+1 1 modified
    @@ -178,7 +178,7 @@ ENV CATTLE_CLI_VERSION v2.8.0
 ENV CATTLE_BASE_UI_BRAND=
 
 # Please update the api-ui-version in pkg/settings/settings.go when updating the version here.
-ENV CATTLE_API_UI_VERSION 1.1.10
+ENV CATTLE_API_UI_VERSION 1.1.11
 
 RUN mkdir -p /var/log/auditlog
 ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log
  • pkg/apis/go.mod+2 2 modified
    @@ -33,8 +33,8 @@ require (
 	github.com/rancher/eks-operator v1.3.0
 	github.com/rancher/fleet/pkg/apis v0.0.0-20231017140638-93432f288e79
 	github.com/rancher/gke-operator v1.2.0
-	github.com/rancher/norman v0.0.0-20230831160711-5de27f66385d
-	github.com/rancher/rke v1.5.2
+	github.com/rancher/norman v0.0.0-20240205154641-a6a6cf569608
+	github.com/rancher/rke v1.5.3
 	github.com/rancher/wrangler v1.1.1
 	github.com/sirupsen/logrus v1.9.3
 	k8s.io/api v0.27.6
  • pkg/apis/go.sum+4 4 modified
    @@ -523,10 +523,10 @@ github.com/rancher/gke-operator v1.2.0 h1:Byd7IYDlg8T6Dk+bqj8QOXOWnTH5+s9pRairBC
 github.com/rancher/gke-operator v1.2.0/go.mod h1:R6zrDS1ihOe+ai6cqDOT8JOcod7u4gHWdc1hToT6HP4=
 github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29 h1:+kige/h8/LnzWgPjB5NUIHz/pWiW/lFpqcTUkN5uulY=
 github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29/go.mod h1:kgk9kJVMj9FIrrXU0iyM6u/9Je4bEjPImqswkTVaKsQ=
-github.com/rancher/norman v0.0.0-20230831160711-5de27f66385d h1:Ft/iTH91TlE2oBGmpkdO4I8o8cvUmCnytdwu52a/tN4=
-github.com/rancher/norman v0.0.0-20230831160711-5de27f66385d/go.mod h1:Sm2Xqai+aecgmJ86ygyEe+TdPMLkauEpykSstBAu4Ko=
-github.com/rancher/rke v1.5.2 h1:e//fEtK2QIZ8Ok3d8oOrCPSQ2hVfJH46P46cvbfuS8U=
-github.com/rancher/rke v1.5.2/go.mod h1:wZaVWzW46OTuGvyxgRHXGUyJ/QP0zOkKESO9hBOwTaY=
+github.com/rancher/norman v0.0.0-20240205154641-a6a6cf569608 h1:azL/n2grvuyGqmDvnpgRoH6mmpgodiGwjv1uZwiO7HE=
+github.com/rancher/norman v0.0.0-20240205154641-a6a6cf569608/go.mod h1:Sm2Xqai+aecgmJ86ygyEe+TdPMLkauEpykSstBAu4Ko=
+github.com/rancher/rke v1.5.3 h1:7mGn+NIL7KXk99NwWYBgoByh2+IfVCdws5ad3X/JIZY=
+github.com/rancher/rke v1.5.3/go.mod h1:wZaVWzW46OTuGvyxgRHXGUyJ/QP0zOkKESO9hBOwTaY=
 github.com/rancher/wrangler v1.1.1-0.20230831050635-df1bd5aae9df h1:WJ+aaUICHPX8HeLmHE9JL/RFHhilMfcJlqmhgpc7gJU=
 github.com/rancher/wrangler v1.1.1-0.20230831050635-df1bd5aae9df/go.mod h1:4T80p+rLh2OLbjCjdExIjRHKNBgK9NUAd7eIU/gRPKk=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
  • pkg/auth/audit/audit.go+5 3 modified
    @@ -20,6 +20,7 @@ import (
 	"github.com/sirupsen/logrus"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/utils/strings/slices"
 )
 
 const (
@@ -50,8 +51,9 @@ var (
 		http.MethodPut:  true,
 		http.MethodPost: true,
 	}
-	sensitiveRequestHeader  = []string{"Cookie", "Authorization", "X-Api-Tunnel-Params", "X-Api-Tunnel-Token"}
-	sensitiveResponseHeader = []string{"Cookie", "Set-Cookie"}
+	sensitiveRequestHeader  = []string{"Cookie", "Authorization", "X-Api-Tunnel-Params", "X-Api-Tunnel-Token", "X-Api-Auth-Header", "X-Amz-Security-Token"}
+	sensitiveResponseHeader = []string{"Cookie", "Set-Cookie", "X-Api-Set-Cookie-Header"}
+	sensitiveBodyFields     = []string{"credentials", "applicationSecret", "oauthCredential", "serviceAccountCredential", "spKey", "spCert", "certificate", "privateKey"}
 	// ErrUnsupportedEncoding is returned when the response encoding is unsupported
 	ErrUnsupportedEncoding = fmt.Errorf("unsupported encoding")
 	secretBaseType         = regexp.MustCompile(".\"baseType\":\"([A-Za-z]*[S|s]ecret)\".")
@@ -394,7 +396,7 @@ func (a *auditLog) redactMap(m map[string]interface{}) bool {
 	for key := range m {
 		switch val := m[key].(type) {
 		case string:
-			if a.keysToRedactRegex.MatchString(key) {
+			if a.keysToRedactRegex.MatchString(key) || slices.Contains(sensitiveBodyFields, key) {
 				changed = true
 				m[key] = redacted
 			}
  • pkg/auth/audit/audit_test.go+22 0 modified
    @@ -199,6 +199,11 @@ func (a *AuditTest) TestRedactSensitiveData() {
 			want:  []byte(fmt.Sprintf(`{"kubeConfig":"%s","namespace":"testns","secretName":"secret-name"}`, redacted)),
 			uri:   `asdf`,
 		},
+		{
+			name:  "With items from sensitiveBodyFields",
+			input: []byte(`{"credentials": "{'fakeCredName': 'fakeCred'}", "applicationSecret": "fakeAppSecret", "oauthCredential": "fakeOauth", "serviceAccountCredential": "fakeSACred", "spKey": "fakeSPKey", "spCert": "fakeSPCERT", "certificate": "fakeCert", "privateKey": "fakeKey"}`),
+			want:  []byte(fmt.Sprintf(`{"credentials": "%s", "applicationSecret": "%[1]s", "oauthCredential": "%[1]s", "serviceAccountCredential": "%[1]s", "spKey": "%[1]s", "spCert": "%[1]s", "certificate": "%[1]s", "privateKey": "%[1]s"}`, redacted)),
+		},
 	}
 	for i := range tests {
 		test := tests[i]
@@ -437,6 +442,18 @@ func (a *AuditTest) TestFilterSensitiveHeader() {
 			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
 			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
 		},
+		{
+			name:               "sensitive request header: \"X-Api-Auth-Header\"",
+			reqHeader:          http.Header{"X-Api-Auth-Header": []string{"abcd"}},
+			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+		},
+		{
+			name:               "sensitive request header: \"X-Amz-Security-Token\"",
+			reqHeader:          http.Header{"X-Amz-Security-Token": []string{"abcd"}},
+			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+		},
 		{
 			name:               "non-sensitive request header and sensitive request header: \"Cookie\"",
 			reqHeader:          http.Header{"Cookie": []string{"abcd"}, "User-Agent": []string{"useragent1"}},
@@ -454,6 +471,11 @@ func (a *AuditTest) TestFilterSensitiveHeader() {
 			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}, "Set-Cookie": []string{"abcd"}},
 			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
 		},
+		{
+			name:               "sensitive response header: \"X-Api-Set-Cookie-Header\"",
+			respHeader:         http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}, "X-Api-Set-Cookie-Header": []string{"abcd"}},
+			expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}},
+		},
 	}
 	writer.Level = LevelMetadata
 	for i := range tests {
  • pkg/client/generated/management/v3/zz_generated_aci_network_provider.go+12 8 modified
    @@ -3,18 +3,15 @@ package client
 const (
 	AciNetworkProviderType                                      = "aciNetworkProvider"
 	AciNetworkProviderFieldAEP                                  = "aep"
-	AciNetworkProviderFieldAccProvisionOperatorMemoryLimit      = "accProvisionOperatorMemoryLimit"
-	AciNetworkProviderFieldAccProvisionOperatorMemoryRequest    = "accProvisionOperatorMemoryRequest"
 	AciNetworkProviderFieldAciContainersControllerMemoryLimit   = "aciContainersControllerMemoryLimit"
 	AciNetworkProviderFieldAciContainersControllerMemoryRequest = "aciContainersControllerMemoryRequest"
 	AciNetworkProviderFieldAciContainersHostMemoryLimit         = "aciContainersHostMemoryLimit"
 	AciNetworkProviderFieldAciContainersHostMemoryRequest       = "aciContainersHostMemoryRequest"
 	AciNetworkProviderFieldAciContainersMemoryLimit             = "aciContainersMemoryLimit"
 	AciNetworkProviderFieldAciContainersMemoryRequest           = "aciContainersMemoryRequest"
-	AciNetworkProviderFieldAciContainersOperatorMemoryLimit     = "aciContainersOperatorMemoryLimit"
-	AciNetworkProviderFieldAciContainersOperatorMemoryRequest   = "aciContainersOperatorMemoryRequest"
 	AciNetworkProviderFieldAciMultipod                          = "aciMultipod"
 	AciNetworkProviderFieldAciMultipodUbuntu                    = "aciMultipodUbuntu"
+	AciNetworkProviderFieldAddExternalContractToDefaultEpg      = "addExternalContractToDefaultEpg"
 	AciNetworkProviderFieldAddExternalSubnetsToRdconfig         = "addExternalSubnetsToRdconfig"
 	AciNetworkProviderFieldApicHosts                            = "apicHosts"
 	AciNetworkProviderFieldApicRefreshTickerAdjust              = "apicRefreshTickerAdjust"
@@ -33,6 +30,7 @@ const (
 	AciNetworkProviderFieldDurationWaitForNetwork               = "durationWaitForNetwork"
 	AciNetworkProviderFieldDynamicExternalSubnet                = "externDynamic"
 	AciNetworkProviderFieldEnableEndpointSlice                  = "enableEndpointSlice"
+	AciNetworkProviderFieldEnableOpflexAgentReconnect           = "enableOpflexAgentReconnect"
 	AciNetworkProviderFieldEncapType                            = "encapType"
 	AciNetworkProviderFieldEpRegistry                           = "epRegistry"
 	AciNetworkProviderFieldGbpPodSubnet                         = "gbpPodSubnet"
@@ -59,6 +57,7 @@ const (
 	AciNetworkProviderFieldNoPriorityClass                      = "noPriorityClass"
 	AciNetworkProviderFieldNoWaitForServiceEpReadiness          = "noWaitForServiceEpReadiness"
 	AciNetworkProviderFieldNodePodIfEnable                      = "nodePodIfEnable"
+	AciNetworkProviderFieldNodeSnatRedirectExclude              = "nodeSnatRedirectExclude"
 	AciNetworkProviderFieldNodeSubnet                           = "nodeSubnet"
 	AciNetworkProviderFieldOVSMemoryLimit                       = "ovsMemoryLimit"
 	AciNetworkProviderFieldOVSMemoryRequest                     = "ovsMemoryRequest"
@@ -68,10 +67,12 @@ const (
 	AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled    = "opflexAgentOpflexAsyncjsonEnabled"
 	AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled       = "opflexAgentOvsAsyncjsonEnabled"
 	AciNetworkProviderFieldOpflexAgentPolicyRetryDelayTimer     = "opflexAgentPolicyRetryDelayTimer"
+	AciNetworkProviderFieldOpflexAgentStatistics                = "opflexAgentStatistics"
 	AciNetworkProviderFieldOpflexClientSSL                      = "opflexClientSsl"
 	AciNetworkProviderFieldOpflexDeviceDeleteTimeout            = "opflexDeviceDeleteTimeout"
 	AciNetworkProviderFieldOpflexDeviceReconnectWaitTimeout     = "opflexDeviceReconnectWaitTimeout"
 	AciNetworkProviderFieldOpflexMode                           = "opflexMode"
+	AciNetworkProviderFieldOpflexOpensslCompat                  = "opflexOpensslCompat"
 	AciNetworkProviderFieldOpflexServerPort                     = "opflexServerPort"
 	AciNetworkProviderFieldOverlayVRFName                       = "overlayVrfName"
 	AciNetworkProviderFieldPBRTrackingNonSnat                   = "pbrTrackingNonSnat"
@@ -95,6 +96,7 @@ const (
 	AciNetworkProviderFieldSystemIdentifier                     = "systemId"
 	AciNetworkProviderFieldTenant                               = "tenant"
 	AciNetworkProviderFieldToken                                = "token"
+	AciNetworkProviderFieldTolerationSeconds                    = "tolerationSeconds"
 	AciNetworkProviderFieldUseAciAnywhereCRD                    = "useAciAnywhereCrd"
 	AciNetworkProviderFieldUseAciCniPriorityClass               = "useAciCniPriorityClass"
 	AciNetworkProviderFieldUseClusterRole                       = "useClusterRole"
@@ -110,18 +112,15 @@ const (
 
 type AciNetworkProvider struct {
 	AEP                                  string              `json:"aep,omitempty" yaml:"aep,omitempty"`
-	AccProvisionOperatorMemoryLimit      string              `json:"accProvisionOperatorMemoryLimit,omitempty" yaml:"accProvisionOperatorMemoryLimit,omitempty"`
-	AccProvisionOperatorMemoryRequest    string              `json:"accProvisionOperatorMemoryRequest,omitempty" yaml:"accProvisionOperatorMemoryRequest,omitempty"`
 	AciContainersControllerMemoryLimit   string              `json:"aciContainersControllerMemoryLimit,omitempty" yaml:"aciContainersControllerMemoryLimit,omitempty"`
 	AciContainersControllerMemoryRequest string              `json:"aciContainersControllerMemoryRequest,omitempty" yaml:"aciContainersControllerMemoryRequest,omitempty"`
 	AciContainersHostMemoryLimit         string              `json:"aciContainersHostMemoryLimit,omitempty" yaml:"aciContainersHostMemoryLimit,omitempty"`
 	AciContainersHostMemoryRequest       string              `json:"aciContainersHostMemoryRequest,omitempty" yaml:"aciContainersHostMemoryRequest,omitempty"`
 	AciContainersMemoryLimit             string              `json:"aciContainersMemoryLimit,omitempty" yaml:"aciContainersMemoryLimit,omitempty"`
 	AciContainersMemoryRequest           string              `json:"aciContainersMemoryRequest,omitempty" yaml:"aciContainersMemoryRequest,omitempty"`
-	AciContainersOperatorMemoryLimit     string              `json:"aciContainersOperatorMemoryLimit,omitempty" yaml:"aciContainersOperatorMemoryLimit,omitempty"`
-	AciContainersOperatorMemoryRequest   string              `json:"aciContainersOperatorMemoryRequest,omitempty" yaml:"aciContainersOperatorMemoryRequest,omitempty"`
 	AciMultipod                          string              `json:"aciMultipod,omitempty" yaml:"aciMultipod,omitempty"`
 	AciMultipodUbuntu                    string              `json:"aciMultipodUbuntu,omitempty" yaml:"aciMultipodUbuntu,omitempty"`
+	AddExternalContractToDefaultEpg      string              `json:"addExternalContractToDefaultEpg,omitempty" yaml:"addExternalContractToDefaultEpg,omitempty"`
 	AddExternalSubnetsToRdconfig         string              `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"`
 	ApicHosts                            []string            `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"`
 	ApicRefreshTickerAdjust              string              `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"`
@@ -140,6 +139,7 @@ type AciNetworkProvider struct {
 	DurationWaitForNetwork               string              `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"`
 	DynamicExternalSubnet                string              `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"`
 	EnableEndpointSlice                  string              `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"`
+	EnableOpflexAgentReconnect           string              `json:"enableOpflexAgentReconnect,omitempty" yaml:"enableOpflexAgentReconnect,omitempty"`
 	EncapType                            string              `json:"encapType,omitempty" yaml:"encapType,omitempty"`
 	EpRegistry                           string              `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"`
 	GbpPodSubnet                         string              `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"`
@@ -166,6 +166,7 @@ type AciNetworkProvider struct {
 	NoPriorityClass                      string              `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"`
 	NoWaitForServiceEpReadiness          string              `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"`
 	NodePodIfEnable                      string              `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"`
+	NodeSnatRedirectExclude              []map[string]string `json:"nodeSnatRedirectExclude,omitempty" yaml:"nodeSnatRedirectExclude,omitempty"`
 	NodeSubnet                           string              `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"`
 	OVSMemoryLimit                       string              `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"`
 	OVSMemoryRequest                     string              `json:"ovsMemoryRequest,omitempty" yaml:"ovsMemoryRequest,omitempty"`
@@ -175,10 +176,12 @@ type AciNetworkProvider struct {
 	OpflexAgentOpflexAsyncjsonEnabled    string              `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"`
 	OpflexAgentOvsAsyncjsonEnabled       string              `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"`
 	OpflexAgentPolicyRetryDelayTimer     string              `json:"opflexAgentPolicyRetryDelayTimer,omitempty" yaml:"opflexAgentPolicyRetryDelayTimer,omitempty"`
+	OpflexAgentStatistics                string              `json:"opflexAgentStatistics,omitempty" yaml:"opflexAgentStatistics,omitempty"`
 	OpflexClientSSL                      string              `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"`
 	OpflexDeviceDeleteTimeout            string              `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"`
 	OpflexDeviceReconnectWaitTimeout     string              `json:"opflexDeviceReconnectWaitTimeout,omitempty" yaml:"opflexDeviceReconnectWaitTimeout,omitempty"`
 	OpflexMode                           string              `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"`
+	OpflexOpensslCompat                  string              `json:"opflexOpensslCompat,omitempty" yaml:"opflexOpensslCompat,omitempty"`
 	OpflexServerPort                     string              `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"`
 	OverlayVRFName                       string              `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"`
 	PBRTrackingNonSnat                   string              `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"`
@@ -202,6 +205,7 @@ type AciNetworkProvider struct {
 	SystemIdentifier                     string              `json:"systemId,omitempty" yaml:"systemId,omitempty"`
 	Tenant                               string              `json:"tenant,omitempty" yaml:"tenant,omitempty"`
 	Token                                string              `json:"token,omitempty" yaml:"token,omitempty"`
+	TolerationSeconds                    string              `json:"tolerationSeconds,omitempty" yaml:"tolerationSeconds,omitempty"`
 	UseAciAnywhereCRD                    string              `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"`
 	UseAciCniPriorityClass               string              `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"`
 	UseClusterRole                       string              `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"`
  • pkg/client/go.mod+1 1 modified
    @@ -5,7 +5,7 @@ go 1.20
 replace k8s.io/client-go => github.com/rancher/client-go v1.27.4-rancher1
 
 require (
-	github.com/rancher/norman v0.0.0-20230831160711-5de27f66385d
+	github.com/rancher/norman v0.0.0-20240205154641-a6a6cf569608
 	k8s.io/apimachinery v0.27.4
 )
  • pkg/client/go.sum+2 2 modified
    @@ -18,8 +18,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rancher/norman v0.0.0-20230831160711-5de27f66385d h1:Ft/iTH91TlE2oBGmpkdO4I8o8cvUmCnytdwu52a/tN4=
-github.com/rancher/norman v0.0.0-20230831160711-5de27f66385d/go.mod h1:Sm2Xqai+aecgmJ86ygyEe+TdPMLkauEpykSstBAu4Ko=
+github.com/rancher/norman v0.0.0-20240205154641-a6a6cf569608 h1:azL/n2grvuyGqmDvnpgRoH6mmpgodiGwjv1uZwiO7HE=
+github.com/rancher/norman v0.0.0-20240205154641-a6a6cf569608/go.mod h1:Sm2Xqai+aecgmJ86ygyEe+TdPMLkauEpykSstBAu4Ko=
 github.com/rancher/wrangler v1.1.1-0.20230831050635-df1bd5aae9df h1:WJ+aaUICHPX8HeLmHE9JL/RFHhilMfcJlqmhgpc7gJU=
 github.com/rancher/wrangler v1.1.1-0.20230831050635-df1bd5aae9df/go.mod h1:4T80p+rLh2OLbjCjdExIjRHKNBgK9NUAd7eIU/gRPKk=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
  • pkg/controllers/managementuser/rbac/handler_base_test.go+168 31 modified
    @@ -4,32 +4,180 @@ import (
 	"fmt"
 	"testing"
 
+	apimgmtv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
-	fakes "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3/fakes"
+	"github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3/fakes"
+	fakes2 "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes"
 	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime/schema"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 )
 
-var roles = map[string]*v3.RoleTemplate{
-	"recursive1": {
-		RoleTemplateNames: []string{"recursive2"},
-	},
-	"recursive2": {
-		RoleTemplateNames: []string{"recursive1"},
-	},
-	"non-recursive": {},
-	"inherit non-recursive": {
-		RoleTemplateNames: []string{"non-recursive"},
-	},
+var (
+	recursiveTestRoleTemplates = map[string]*v3.RoleTemplate{
+		"recursive1": {
+			RoleTemplateNames: []string{"recursive2"},
+		},
+		"recursive2": {
+			RoleTemplateNames: []string{"recursive1"},
+		},
+		"non-recursive": {},
+		"inherit non-recursive": {
+			RoleTemplateNames: []string{"non-recursive"},
+		},
+	}
+	createNSRoleTemplate = &v3.RoleTemplate{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "create-ns",
+		},
+		Builtin: true,
+		Rules: []v1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"namespaces"},
+				Verbs:     []string{"create"},
+			},
+		},
+	}
+)
+
+type clientErrs struct {
+	getError    error
+	updateError error
+	createError error
 }
 
-func Test_gatherRoles(t *testing.T) {
-	manager := &manager{
+func setupManager(roleTemplates map[string]*v3.RoleTemplate, clusterRoles map[string]*v1.ClusterRole, roles map[string]*v1.Role, projects map[string]*v3.Project, crErrs, rtErrs, rErrs clientErrs) *manager {
+	return &manager{
 		rtLister: &fakes.RoleTemplateListerMock{
-			GetFunc: roleListerGetFunc,
+			GetFunc: func(namespace string, name string) (*v3.RoleTemplate, error) {
+				if rtErrs.getError != nil {
+					return nil, rtErrs.getError
+				}
+				rt, ok := roleTemplates[name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return rt.DeepCopy(), nil
+			},
+			ListFunc: func(namespace string, selector labels.Selector) ([]*v3.RoleTemplate, error) {
+				rts := make([]*v3.RoleTemplate, len(roleTemplates))
+				for i := range roleTemplates {
+					rts = append(rts, roleTemplates[i])
+				}
+				return rts, nil
+			},
 		},
+		crLister: &fakes2.ClusterRoleListerMock{
+			GetFunc: func(namespace string, name string) (*v1.ClusterRole, error) {
+				if crErrs.getError != nil {
+					return nil, crErrs.getError
+				}
+				cr, ok := clusterRoles[name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return cr.DeepCopy(), nil
+			},
+			ListFunc: func(namespace string, selector labels.Selector) ([]*v1.ClusterRole, error) {
+				crs := make([]*v1.ClusterRole, len(roleTemplates))
+				for i := range clusterRoles {
+					crs = append(crs, clusterRoles[i])
+				}
+				return crs, nil
+			},
+		},
+		clusterRoles: &fakes2.ClusterRoleInterfaceMock{
+			GetFunc: func(name string, opts metav1.GetOptions) (*v1.ClusterRole, error) {
+				if crErrs.getError != nil {
+					return nil, crErrs.getError
+				}
+				cr, ok := clusterRoles[name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return cr.DeepCopy(), nil
+			},
+			UpdateFunc: func(cr *v1.ClusterRole) (*v1.ClusterRole, error) {
+				if crErrs.updateError != nil {
+					return nil, crErrs.updateError
+				}
+				_, ok := clusterRoles[cr.Name]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), cr.Name)
+				}
+				clusterRoles[cr.Name] = cr
+				return clusterRoles[cr.Name].DeepCopy(), nil
+			},
+			CreateFunc: func(cr *v1.ClusterRole) (*v1.ClusterRole, error) {
+				if crErrs.createError != nil {
+					return nil, crErrs.createError
+				}
+				_, ok := clusterRoles[cr.Name]
+				if ok {
+					return nil, errors.NewAlreadyExists(v3.RoleTemplateGroupVersionResource.GroupResource(), cr.Name)
+				}
+				clusterRoles[cr.Name] = cr
+				return clusterRoles[cr.Name].DeepCopy(), nil
+			},
+		},
+		rLister: &fakes2.RoleListerMock{
+			GetFunc: func(namespace string, name string) (*v1.Role, error) {
+				if rErrs.getError != nil {
+					return nil, rErrs.getError
+				}
+				key := fmt.Sprintf("%s:%s", namespace, name)
+				r, ok := roles[key]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return r.DeepCopy(), nil
+			},
+			ListFunc: func(namespace string, selector labels.Selector) ([]*v1.Role, error) {
+				rs := make([]*v1.Role, len(roles))
+				for i := range roles {
+					rs = append(rs, roles[i])
+				}
+				return rs, nil
+			},
+		},
+		roles: &fakes2.RoleInterfaceMock{
+			UpdateFunc: func(r *v1.Role) (*v1.Role, error) {
+				key := fmt.Sprintf("%s:%s", r.Namespace, r.Name)
+				_, ok := roles[key]
+				if ok {
+					return nil, errors.NewAlreadyExists(v3.RoleTemplateGroupVersionResource.GroupResource(), key)
+				}
+				roles[r.Name] = r
+				return roles[r.Name].DeepCopy(), nil
+			},
+			GetNamespacedFunc: func(namespace string, name string, opts metav1.GetOptions) (*v1.Role, error) {
+				key := fmt.Sprintf("%s:%s", namespace, name)
+				r, ok := roles[key]
+				if !ok {
+					return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name)
+				}
+				return r.DeepCopy(), nil
+			},
+		},
+		projectLister: &fakes.ProjectListerMock{
+			ListFunc: func(namespace string, selector labels.Selector) ([]*apimgmtv3.Project, error) {
+				rs := make([]*v3.Project, len(projects))
+				for i := range projects {
+					rs = append(rs, projects[i])
+				}
+				return rs, nil
+			},
+		},
+		clusterName: "testcluster",
 	}
+}
+
+func Test_gatherRoles(t *testing.T) {
+	m := setupManager(recursiveTestRoleTemplates, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{})
+
 	emptyRoleTemplates := make(map[string]*v3.RoleTemplate)
 	type args struct {
 		rt            *v3.RoleTemplate
@@ -44,7 +192,7 @@ func Test_gatherRoles(t *testing.T) {
 		{
 			name: "Non-recursive role, none inherited",
 			args: args{
-				rt:            roles["non-recursive"],
+				rt:            recursiveTestRoleTemplates["non-recursive"],
 				roleTemplates: emptyRoleTemplates,
 				depthCounter:  0,
 			},
@@ -53,7 +201,7 @@ func Test_gatherRoles(t *testing.T) {
 		{
 			name: "Non-recursive role, inherits another",
 			args: args{
-				rt:            roles["inherit non-recursive"],
+				rt:            recursiveTestRoleTemplates["inherit non-recursive"],
 				roleTemplates: emptyRoleTemplates,
 				depthCounter:  0,
 			},
@@ -62,7 +210,7 @@ func Test_gatherRoles(t *testing.T) {
 		{
 			name: "Recursive role",
 			args: args{
-				rt:            roles["recursive1"],
+				rt:            recursiveTestRoleTemplates["recursive1"],
 				roleTemplates: emptyRoleTemplates,
 				depthCounter:  0,
 			},
@@ -72,7 +220,7 @@ func Test_gatherRoles(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := manager.gatherRoles(tt.args.rt, tt.args.roleTemplates, tt.args.depthCounter)
+			err := m.gatherRoles(tt.args.rt, tt.args.roleTemplates, tt.args.depthCounter)
 			if tt.wantErr {
 				assert.Error(t, err, "expected an error, received none")
 			} else {
@@ -81,14 +229,3 @@ func Test_gatherRoles(t *testing.T) {
 		})
 	}
 }
-
-func roleListerGetFunc(ns, name string) (*v3.RoleTemplate, error) {
-	role, ok := roles[name]
-	if !ok {
-		return nil, errors.NewNotFound(schema.GroupResource{
-			Group:    v3.RoleTemplateGroupVersionKind.Group,
-			Resource: v3.RoleTemplateGroupVersionResource.Resource,
-		}, name)
-	}
-	return role, nil
-}
  • pkg/controllers/managementuser/rbac/namespace_handler.go+2 2 modified
    @@ -334,7 +334,7 @@ func (n *nsLifecycle) reconcileNamespaceProjectClusterRole(ns *v1.Namespace) err
 			return err
 		}
 
-		roleCli := n.m.workload.RBAC.ClusterRoles("")
+		roleCli := n.m.clusterRoles
 		nsInDesiredRole := false
 		for _, c := range clusterRoles {
 			cr, ok := c.(*rbacv1.ClusterRole)
@@ -442,7 +442,7 @@ func (n *nsLifecycle) reconcileNamespaceProjectClusterRole(ns *v1.Namespace) err
 }
 
 func (m *manager) createProjectNSRole(roleName, verb, ns, projectName string) error {
-	roleCli := m.workload.RBAC.ClusterRoles("")
+	roleCli := m.clusterRoles
 
 	cr := &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
  • pkg/controllers/managementuser/rbac/namespace_handler_test.go+138 31 modified
    @@ -6,11 +6,13 @@ import (
 
 	"github.com/rancher/rancher/pkg/apis/management.cattle.io"
 	apisV3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
+	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
 	"github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes"
-	"github.com/rancher/rancher/pkg/types/config"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	v1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	apierror "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -177,31 +179,6 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) {
 				},
 				err: test.indexerError,
 			}
-			fakeRBACInterface := &fakeRBAC{
-				clusterRoleFake: fakes.ClusterRoleInterfaceMock{
-					CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-						newRoles = append(newRoles, in)
-						if test.createError != nil {
-							return nil, test.createError
-						}
-						return in, nil
-					},
-					UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-						newRoles = append(newRoles, in)
-						if test.updateError != nil {
-							return nil, test.updateError
-						}
-						return in, nil
-					},
-					DeleteFunc: func(name string, options *metav1.DeleteOptions) error {
-						deletedRoleNames = append(deletedRoleNames, name)
-						if test.deleteError != nil {
-							return test.deleteError
-						}
-						return nil
-					},
-				},
-			}
 			fakeLister := &fakes.ClusterRoleListerMock{
 				GetFunc: func(namespace string, name string) (*rbacv1.ClusterRole, error) {
 					if test.getError != nil {
@@ -218,13 +195,34 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) {
 					}, name)
 				},
 			}
+			fakeClusterRoles := &fakes.ClusterRoleInterfaceMock{
+				CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+					newRoles = append(newRoles, in)
+					if test.createError != nil {
+						return nil, test.createError
+					}
+					return in, nil
+				},
+				UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+					newRoles = append(newRoles, in)
+					if test.updateError != nil {
+						return nil, test.updateError
+					}
+					return in, nil
+				},
+				DeleteFunc: func(name string, options *metav1.DeleteOptions) error {
+					deletedRoleNames = append(deletedRoleNames, name)
+					if test.deleteError != nil {
+						return test.deleteError
+					}
+					return nil
+				},
+			}
 			lifecycle := nsLifecycle{
 				m: &manager{
-					workload: &config.UserContext{
-						RBAC: fakeRBACInterface,
-					},
-					crLister:  fakeLister,
-					crIndexer: &indexer,
+					crLister:     fakeLister,
+					crIndexer:    &indexer,
+					clusterRoles: fakeClusterRoles,
 				},
 			}
 			err := lifecycle.reconcileNamespaceProjectClusterRole(&corev1.Namespace{
@@ -253,6 +251,115 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) {
 
 }
 
+func TestCreateProjectNSRole(t *testing.T) {
+	t.Parallel()
+	crs := make(map[string]*v1.ClusterRole)
+	m := setupManager(make(map[string]*v3.RoleTemplate), crs, make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{})
+	type testCase struct {
+		description   string
+		verb          string
+		namespace     string
+		projectName   string
+		startingCR    *v1.ClusterRole
+		expectedCR    *v1.ClusterRole
+		isErrExpected bool
+		expectedErr   string
+	}
+	testCases := []testCase{
+		{
+			description: "create get role",
+			verb:        "get",
+			projectName: "p-123xyz",
+			expectedCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-readonly",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-readonly",
+					},
+				},
+			},
+		},
+		{
+			description: "create edit role",
+			verb:        "*",
+			projectName: "p-123xyz",
+			expectedCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-edit",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-edit",
+					},
+				},
+				Rules: []v1.PolicyRule{
+					{
+						APIGroups:     []string{"management.cattle.io"},
+						Verbs:         []string{"manage-namespaces"},
+						Resources:     []string{"projects"},
+						ResourceNames: []string{"p-123xyz"},
+					},
+				},
+			},
+		},
+		{
+			description: "do not change role if already exists and return AlreadyExists error",
+			verb:        "*",
+			projectName: "p-123xyz",
+			expectedCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-edit",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-edit",
+					},
+				},
+				Rules: []v1.PolicyRule{
+					{
+						APIGroups:     []string{"management.cattle.io"},
+						Verbs:         []string{"manage-namespaces"},
+						Resources:     []string{"projects"},
+						ResourceNames: []string{"p-123xyz"},
+					},
+				},
+			},
+			startingCR: &v1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "p-123xyz-namespaces-edit",
+					Annotations: map[string]string{
+						projectNSAnn: "p-123xyz-namespaces-edit",
+					},
+				},
+				Rules: []v1.PolicyRule{
+					{
+						APIGroups:     []string{"management.cattle.io"},
+						Verbs:         []string{"manage-namespaces"},
+						Resources:     []string{"projects"},
+						ResourceNames: []string{"p-123xyz"},
+					},
+				},
+			},
+			isErrExpected: true,
+			expectedErr:   "roletemplates.management.cattle.io \"p-123xyz-namespaces-edit\" already exists",
+		},
+	}
+	for _, test := range testCases {
+		if test.startingCR != nil {
+			crs[test.startingCR.Name] = test.startingCR
+		}
+		err := m.createProjectNSRole(fmt.Sprintf(projectNSGetClusterRoleNameFmt, test.projectName, projectNSVerbToSuffix[test.verb]), test.verb, test.namespace, test.projectName)
+		if test.isErrExpected {
+			assert.NotNil(t, err, test.description)
+		} else {
+			assert.Nil(t, err)
+		}
+		assert.Equal(t, test.expectedCR, crs[test.expectedCR.Name], test.description)
+		delete(crs, test.expectedCR.Name)
+	}
+	m = setupManager(make(map[string]*v3.RoleTemplate), crs, make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{createError: errors.NewInternalError(fmt.Errorf("some error"))}, clientErrs{}, clientErrs{})
+	description := "test should return non-AlreadyExists error"
+	err := m.createProjectNSRole(fmt.Sprintf(projectNSGetClusterRoleNameFmt, "p-123xyz", "edit"), "*", "", "p-123xyz")
+	assert.NotNil(t, err, description)
+	assert.Equal(t, "Internal error occurred: some error", err.Error(), description)
+}
+
 func createClusterRoleForProject(projectName string, namespace string, verb string) *rbacv1.ClusterRole {
 	cr := createBaseClusterRoleForProject(projectName, verb)
 	return addNamespaceToClusterRole(namespace, verb, cr)
  • pkg/controllers/managementuser/rbac/project_handler_test.go+14 25 modified
    @@ -7,7 +7,6 @@ import (
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
 	v1 "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1"
 	"github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes"
-	"github.com/rancher/rancher/pkg/types/config"
 	"github.com/stretchr/testify/assert"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apierror "k8s.io/apimachinery/pkg/api/errors"
@@ -103,17 +102,13 @@ func TestCreate(t *testing.T) {
 							}, name)
 						},
 					},
-					workload: &config.UserContext{
-						RBAC: &fakeRBAC{
-							clusterRoleFake: fakes.ClusterRoleInterfaceMock{
-								CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-									newCRs = append(newCRs, in)
-									if test.createErr != nil {
-										return nil, test.createErr
-									}
-									return in, nil
-								},
-							},
+					clusterRoles: &fakes.ClusterRoleInterfaceMock{
+						CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+							newCRs = append(newCRs, in)
+							if test.createErr != nil {
+								return nil, test.createErr
+							}
+							return in, nil
 						},
 					},
 				},
@@ -288,6 +283,13 @@ func TestUpdated(t *testing.T) {
 						},
 					},
 					clusterRoles: &fakes.ClusterRoleInterfaceMock{
+						CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+							newCRs = append(newCRs, in)
+							if test.createError != nil {
+								return nil, test.createError
+							}
+							return in, nil
+						},
 						UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
 							newCRs = append(newCRs, in)
 							if test.updError != nil {
@@ -296,19 +298,6 @@ func TestUpdated(t *testing.T) {
 							return in, nil
 						},
 					},
-					workload: &config.UserContext{
-						RBAC: &fakeRBAC{
-							clusterRoleFake: fakes.ClusterRoleInterfaceMock{
-								CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
-									newCRs = append(newCRs, in)
-									if test.createError != nil {
-										return nil, test.createError
-									}
-									return in, nil
-								},
-							},
-						},
-					},
 				},
 			}
 			_, err := lifecycle.Updated(project)
  • pkg/controllers/managementuser/rbac/prtb_handler.go+15 2 modified
    @@ -3,6 +3,7 @@ package rbac
 import (
 	"reflect"
 	"sort"
+	"strings"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/pkg/errors"
@@ -161,7 +162,11 @@ func (p *prtbLifecycle) ensurePRTBDelete(binding *v3.ProjectRoleTemplateBinding)
 }
 
 func (p *prtbLifecycle) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, rts map[string]*v3.RoleTemplate) error {
-	_, err := p.m.reconcileProjectAccessToGlobalResources(binding, rts)
+	roles, err := p.m.ensureGlobalResourcesRolesForPRTB(parseProjectName(binding.ProjectName), rts)
+	if err != nil {
+		return err
+	}
+	_, err = p.m.reconcileProjectAccessToGlobalResources(binding, roles)
 	if err != nil {
 		return err
 	}
@@ -277,7 +282,7 @@ func (m *manager) checkForGlobalResourceRules(role *v3.RoleTemplate, resource st
 
 // Ensure the clusterRole used to grant access of global resources to users/groups in projects has appropriate rules for the given resource and verbs
 func (m *manager) reconcileRoleForProjectAccessToGlobalResource(resource string, rt *v3.RoleTemplate, newVerbs map[string]bool, baseRule rbacv1.PolicyRule) (string, error) {
-	clusterRoles := m.workload.RBAC.ClusterRoles("")
+	clusterRoles := m.clusterRoles
 	roleName := rt.Name + "-promoted"
 	if role, err := m.crLister.Get("", roleName); err == nil && role != nil {
 		currentVerbs := map[string]bool{}
@@ -465,3 +470,11 @@ func (p *prtbLifecycle) reconcilePRTBUserClusterLabels(binding *v3.ProjectRoleTe
 	})
 	return retryErr
 }
+
+func parseProjectName(id string) string {
+	parts := strings.SplitN(id, ":", 2)
+	if len(parts) != 2 || len(parts[1]) == 0 {
+		return ""
+	}
+	return parts[1]
+}
  • pkg/controllers/managementuser/rbac/reconcile_roletemplate.go+60 57 modified
    @@ -2,7 +2,6 @@ package rbac
 
 import (
 	"fmt"
-	"strings"
 
 	"github.com/rancher/norman/types/slice"
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
@@ -13,68 +12,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, rts map[string]*v3.RoleTemplate) (map[string]bool, error) {
-	var role string
-	var createNSPerms bool
-	var roles []string
-	if parts := strings.SplitN(binding.ProjectName, ":", 2); len(parts) == 2 && len(parts[1]) > 0 {
-		projectName := parts[1]
-		var roleVerb, roleSuffix string
-		for _, r := range rts {
-			for _, rule := range r.Rules {
-				if slice.ContainsString(rule.Resources, "namespaces") && len(rule.ResourceNames) == 0 {
-					if slice.ContainsString(rule.Verbs, "*") || slice.ContainsString(rule.Verbs, "create") {
-						roleVerb = "*"
-						createNSPerms = true
-						break
-					}
-				}
-
-			}
-		}
-		if roleVerb == "" {
-			roleVerb = "get"
-		}
-		roleSuffix = projectNSVerbToSuffix[roleVerb]
-		role = fmt.Sprintf(projectNSGetClusterRoleNameFmt, projectName, roleSuffix)
-		roles = append(roles, role)
-
-		for _, rt := range rts {
-			for resource, baseRule := range globalResourceRulesNeededInProjects {
-				verbs, err := m.checkForGlobalResourceRules(rt, resource, baseRule)
-				if err != nil {
-					return nil, err
-				}
-				if len(verbs) > 0 {
-					roleName, err := m.reconcileRoleForProjectAccessToGlobalResource(resource, rt, verbs, baseRule)
-					if err != nil {
-						return nil, err
-					}
-					roles = append(roles, roleName)
-				}
-			}
-		}
-	}
-
+func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, roles []string) (map[string]bool, error) {
 	if len(roles) == 0 {
 		return nil, nil
 	}
 
 	bindingCli := m.workload.RBAC.ClusterRoleBindings("")
 
-	if createNSPerms {
-		roles = append(roles, "create-ns")
-		if nsRole, _ := m.crLister.Get("", "create-ns"); nsRole == nil {
-			createNSRT, err := m.rtLister.Get("", "create-ns")
-			if err != nil {
-				return nil, err
-			}
-			if err := m.ensureRoles(map[string]*v3.RoleTemplate{"create-ns": createNSRT}); err != nil && !apierrors.IsAlreadyExists(err) {
-				return nil, err
-			}
-		}
-	}
-
 	rtbUID := pkgrbac.GetRTBLabel(binding.ObjectMeta)
 	subject, err := pkgrbac.BuildSubjectFromRTB(binding)
 	if err != nil {
@@ -147,3 +91,62 @@ func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRol
 
 	return crbsToKeep, nil
 }
+
+// EnsureGlobalResourcesRolesForPRTB ensures that all necessary roles exist and contain the rules needed to
+// enforce permissions described by RoleTemplate rules. A slice of strings indicating role names is returned.
+func (m *manager) ensureGlobalResourcesRolesForPRTB(projectName string, rts map[string]*v3.RoleTemplate) ([]string, error) {
+	var role string
+	var roles []string
+
+	if projectName == "" {
+		return nil, nil
+	}
+
+	var roleVerb, roleSuffix string
+	for _, r := range rts {
+		for _, rule := range r.Rules {
+			hasNamespaceResources := slice.ContainsString(rule.Resources, "namespaces") || slice.ContainsString(rule.Resources, "*")
+			hasNamespaceGroup := slice.ContainsString(rule.APIGroups, "") || slice.ContainsString(rule.APIGroups, "*")
+			if hasNamespaceGroup && hasNamespaceResources && len(rule.ResourceNames) == 0 {
+				if slice.ContainsString(rule.Verbs, "*") || slice.ContainsString(rule.Verbs, "create") {
+					roleVerb = "*"
+					roles = append(roles, "create-ns")
+					if nsRole, _ := m.crLister.Get("", "create-ns"); nsRole == nil {
+						createNSRT, err := m.rtLister.Get("", "create-ns")
+						if err != nil {
+							return nil, err
+						}
+						if err := m.ensureRoles(map[string]*v3.RoleTemplate{"create-ns": createNSRT}); err != nil && !apierrors.IsAlreadyExists(err) {
+							return nil, err
+						}
+					}
+					break
+				}
+			}
+
+		}
+	}
+	if roleVerb == "" {
+		roleVerb = "get"
+	}
+	roleSuffix = projectNSVerbToSuffix[roleVerb]
+	role = fmt.Sprintf(projectNSGetClusterRoleNameFmt, projectName, roleSuffix)
+	roles = append(roles, role)
+
+	for _, rt := range rts {
+		for resource, baseRule := range globalResourceRulesNeededInProjects {
+			verbs, err := m.checkForGlobalResourceRules(rt, resource, baseRule)
+			if err != nil {
+				return nil, err
+			}
+			if len(verbs) > 0 {
+				roleName, err := m.reconcileRoleForProjectAccessToGlobalResource(resource, rt, verbs, baseRule)
+				if err != nil {
+					return nil, err
+				}
+				roles = append(roles, roleName)
+			}
+		}
+	}
+	return roles, nil
+}
  • pkg/controllers/managementuser/rbac/reconcile_roletemplate_test.go+255 0 added
    @@ -0,0 +1,255 @@
+package rbac
+
+import (
+	"testing"
+
+	"github.com/pkg/errors"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+
+	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestEnsureGlobalResourcesRolesForPRTB(t *testing.T) {
+	t.Parallel()
+	m := setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{})
+	type testCase struct {
+		description   string
+		projectName   string
+		roleTemplates map[string]*v3.RoleTemplate
+		expectedRoles []string
+		isErrExpected bool
+	}
+	testCases := []testCase{
+		{
+			description:   "global resource rule should grant namespace read",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt1": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt1",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{""},
+							Resources: []string{"configmaps"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "namespace create rule should grant create-ns and a namespaces-edit role",
+			projectName:   "testproject",
+			expectedRoles: []string{"create-ns", "testproject-namespaces-edit"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt2": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt2",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"create"},
+							APIGroups: []string{""},
+							Resources: []string{"namespaces"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "namespace create rule for other API group should grant namespaces-read role only",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt3": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt3",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"create"},
+							APIGroups: []string{"some.other.apigroup"},
+							Resources: []string{"namespaces"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "namespace * rule for other API group should grant namespaces-read role only",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt4": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt4",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"some.other.apigroup"},
+							Resources: []string{"namespaces"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "global resource rule result in promoted role returned",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly", "testrt5-promoted"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt5": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt5",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"catalog.cattle.io"},
+							Resources: []string{"clusterrepos"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "empty project name will result in no roles returned",
+			projectName:   "",
+			expectedRoles: nil,
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt6": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt6",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"catalog.cattle.io"},
+							Resources: []string{"clusterrepos"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "* resources and non-core APIGroup should only result in namespace-readonly role",
+			projectName:   "testproject",
+			expectedRoles: []string{"testproject-namespaces-readonly"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt7": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt7",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"some.other.apigroup"},
+							Resources: []string{"*"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description: "* resources and * APIGroup should only result in namespace-readonly and promoted role",
+			projectName: "testproject",
+			// at the time of adding these tests ensureGlobalResourceRoleForPRTB returns duplicate promoted roles
+			// names per applicable rule found in globalResourceRulesNeededInProjects. This is not incompatible with
+			// current reconcile logic but should be fixed in the future.
+			expectedRoles: []string{"create-ns", "testproject-namespaces-edit", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt8": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt8",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{"*"},
+							Resources: []string{"*"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description:   "* resources and core (\"\") APIGroup should only result in namespace-readonly and promoted role",
+			projectName:   "testproject",
+			expectedRoles: []string{"create-ns", "testproject-namespaces-edit", "testrt9-promoted", "testrt9-promoted"},
+			roleTemplates: map[string]*v3.RoleTemplate{
+				"testrt9": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "testrt9",
+					},
+					Rules: []v1.PolicyRule{
+						{
+							Verbs:     []string{"*"},
+							APIGroups: []string{""},
+							Resources: []string{"*"},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.description, func(t *testing.T) {
+			t.Parallel()
+			roles, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+			assert.Nil(t, err)
+			assert.Equal(t, test.expectedRoles, roles, test.description)
+		})
+	}
+
+	test := testCase{
+		projectName:   "testproject",
+		expectedRoles: []string{"create-ns", "testproject-namespaces-edit"},
+		roleTemplates: map[string]*v3.RoleTemplate{
+			"testrt": {
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "testrt",
+				},
+				Rules: []v1.PolicyRule{
+					{
+						Verbs:     []string{"create"},
+						APIGroups: []string{""},
+						Resources: []string{"namespaces"},
+					},
+				},
+			},
+		},
+	}
+	m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{getError: errNotFound}, clientErrs{})
+	test1 := test
+	test1.description = "error return when RoleTemplate client returns error"
+	t.Run(test.description, func(t *testing.T) {
+		t.Parallel()
+		_, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+		assert.NotNil(t, err)
+	})
+	m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{createError: errAlreadyExist})
+	test2 := test
+	test2.description = "error return when Role client returns error"
+	t.Run(test.description, func(t *testing.T) {
+		t.Parallel()
+		_, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+		assert.NotNil(t, err)
+	})
+	m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{getError: apierrors.NewInternalError(errors.New("error"))}, clientErrs{}, clientErrs{})
+	test3 := test
+	test3.description = "error return when ClusterRole client returns error and RoleTemplate is external"
+	test3.roleTemplates["testrt"].External = true
+	t.Run(test.description, func(t *testing.T) {
+		t.Parallel()
+		_, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates)
+		assert.NotNil(t, err)
+	})
+}
  • pkg/controllers/managementuser/rbac/roletemplate_handler.go+10 6 modified
    @@ -68,18 +68,18 @@ func (c *rtSync) sync(key string, obj *v3.RoleTemplate) (runtime.Object, error)
 }
 
 func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []interface{}, crtbs []interface{}) error {
-	roles := map[string]*v3.RoleTemplate{}
-	if err := c.m.gatherRoles(template, roles, 0); err != nil {
+	roleTemplates := map[string]*v3.RoleTemplate{}
+	if err := c.m.gatherRoles(template, roleTemplates, 0); err != nil {
 		return err
 	}
 
-	if err := c.m.ensureRoles(roles); err != nil {
+	if err := c.m.ensureRoles(roleTemplates); err != nil {
 		return errors.Wrapf(err, "couldn't ensure roles")
 	}
 
 	rolesToKeep := make(map[string]bool)
 	if usedInProjects {
-		for _, rt := range roles {
+		for _, rt := range roleTemplates {
 			for resource, baseRule := range globalResourceRulesNeededInProjects {
 				verbs, err := c.m.checkForGlobalResourceRules(rt, resource, baseRule)
 				if err != nil {
@@ -102,6 +102,10 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 			continue
 		}
 
+		roles, err := c.m.ensureGlobalResourcesRolesForPRTB(parseProjectName(prtb.ProjectName), roleTemplates)
+		if err != nil {
+			return err
+		}
 		crbsToKeep, err := c.m.reconcileProjectAccessToGlobalResources(prtb, roles)
 		if err != nil {
 			return err
@@ -131,7 +135,7 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 			if !ns.DeletionTimestamp.IsZero() {
 				continue
 			}
-			if err := c.m.ensureProjectRoleBindings(ns.Name, roles, prtb); err != nil {
+			if err := c.m.ensureProjectRoleBindings(ns.Name, roleTemplates, prtb); err != nil {
 				return errors.Wrapf(err, "couldn't ensure binding %v in %v", prtb.Name, ns.Name)
 			}
 		}
@@ -142,7 +146,7 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 		if !ok {
 			continue
 		}
-		if err := c.m.ensureClusterBindings(roles, crtb); err != nil {
+		if err := c.m.ensureClusterBindings(roleTemplates, crtb); err != nil {
 			return err
 		}
 	}
  • pkg/settings/setting.go+1 1 modified
    @@ -108,7 +108,7 @@ var (
 	WhitelistDomain                     = NewSetting("whitelist-domain", "forums.rancher.com")
 	WhitelistEnvironmentVars            = NewSetting("whitelist-envvars", "HTTP_PROXY,HTTPS_PROXY,NO_PROXY")
 	AuthUserInfoResyncCron              = NewSetting("auth-user-info-resync-cron", "0 0 * * *")
-	APIUIVersion                        = NewSetting("api-ui-version", "1.1.10")              // Please update the CATTLE_API_UI_VERSION in package/Dockerfile when updating the version here.
+	APIUIVersion                        = NewSetting("api-ui-version", "1.1.11")              // Please update the CATTLE_API_UI_VERSION in package/Dockerfile when updating the version here.
 	RotateCertsIfExpiringInDays         = NewSetting("rotate-certs-if-expiring-in-days", "7") // 7 days
 	ClusterTemplateEnforcement          = NewSetting("cluster-template-enforcement", "false")
 	InitialDockerRootDir                = NewSetting("initial-docker-root-dir", "/var/lib/docker")
  • tests/framework/clients/rancher/generated/management/v3/zz_generated_aci_network_provider.go+12 8 modified
    @@ -3,18 +3,15 @@ package client
 const (
 	AciNetworkProviderType                                      = "aciNetworkProvider"
 	AciNetworkProviderFieldAEP                                  = "aep"
-	AciNetworkProviderFieldAccProvisionOperatorMemoryLimit      = "accProvisionOperatorMemoryLimit"
-	AciNetworkProviderFieldAccProvisionOperatorMemoryRequest    = "accProvisionOperatorMemoryRequest"
 	AciNetworkProviderFieldAciContainersControllerMemoryLimit   = "aciContainersControllerMemoryLimit"
 	AciNetworkProviderFieldAciContainersControllerMemoryRequest = "aciContainersControllerMemoryRequest"
 	AciNetworkProviderFieldAciContainersHostMemoryLimit         = "aciContainersHostMemoryLimit"
 	AciNetworkProviderFieldAciContainersHostMemoryRequest       = "aciContainersHostMemoryRequest"
 	AciNetworkProviderFieldAciContainersMemoryLimit             = "aciContainersMemoryLimit"
 	AciNetworkProviderFieldAciContainersMemoryRequest           = "aciContainersMemoryRequest"
-	AciNetworkProviderFieldAciContainersOperatorMemoryLimit     = "aciContainersOperatorMemoryLimit"
-	AciNetworkProviderFieldAciContainersOperatorMemoryRequest   = "aciContainersOperatorMemoryRequest"
 	AciNetworkProviderFieldAciMultipod                          = "aciMultipod"
 	AciNetworkProviderFieldAciMultipodUbuntu                    = "aciMultipodUbuntu"
+	AciNetworkProviderFieldAddExternalContractToDefaultEpg      = "addExternalContractToDefaultEpg"
 	AciNetworkProviderFieldAddExternalSubnetsToRdconfig         = "addExternalSubnetsToRdconfig"
 	AciNetworkProviderFieldApicHosts                            = "apicHosts"
 	AciNetworkProviderFieldApicRefreshTickerAdjust              = "apicRefreshTickerAdjust"
@@ -33,6 +30,7 @@ const (
 	AciNetworkProviderFieldDurationWaitForNetwork               = "durationWaitForNetwork"
 	AciNetworkProviderFieldDynamicExternalSubnet                = "externDynamic"
 	AciNetworkProviderFieldEnableEndpointSlice                  = "enableEndpointSlice"
+	AciNetworkProviderFieldEnableOpflexAgentReconnect           = "enableOpflexAgentReconnect"
 	AciNetworkProviderFieldEncapType                            = "encapType"
 	AciNetworkProviderFieldEpRegistry                           = "epRegistry"
 	AciNetworkProviderFieldGbpPodSubnet                         = "gbpPodSubnet"
@@ -59,6 +57,7 @@ const (
 	AciNetworkProviderFieldNoPriorityClass                      = "noPriorityClass"
 	AciNetworkProviderFieldNoWaitForServiceEpReadiness          = "noWaitForServiceEpReadiness"
 	AciNetworkProviderFieldNodePodIfEnable                      = "nodePodIfEnable"
+	AciNetworkProviderFieldNodeSnatRedirectExclude              = "nodeSnatRedirectExclude"
 	AciNetworkProviderFieldNodeSubnet                           = "nodeSubnet"
 	AciNetworkProviderFieldOVSMemoryLimit                       = "ovsMemoryLimit"
 	AciNetworkProviderFieldOVSMemoryRequest                     = "ovsMemoryRequest"
@@ -68,10 +67,12 @@ const (
 	AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled    = "opflexAgentOpflexAsyncjsonEnabled"
 	AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled       = "opflexAgentOvsAsyncjsonEnabled"
 	AciNetworkProviderFieldOpflexAgentPolicyRetryDelayTimer     = "opflexAgentPolicyRetryDelayTimer"
+	AciNetworkProviderFieldOpflexAgentStatistics                = "opflexAgentStatistics"
 	AciNetworkProviderFieldOpflexClientSSL                      = "opflexClientSsl"
 	AciNetworkProviderFieldOpflexDeviceDeleteTimeout            = "opflexDeviceDeleteTimeout"
 	AciNetworkProviderFieldOpflexDeviceReconnectWaitTimeout     = "opflexDeviceReconnectWaitTimeout"
 	AciNetworkProviderFieldOpflexMode                           = "opflexMode"
+	AciNetworkProviderFieldOpflexOpensslCompat                  = "opflexOpensslCompat"
 	AciNetworkProviderFieldOpflexServerPort                     = "opflexServerPort"
 	AciNetworkProviderFieldOverlayVRFName                       = "overlayVrfName"
 	AciNetworkProviderFieldPBRTrackingNonSnat                   = "pbrTrackingNonSnat"
@@ -95,6 +96,7 @@ const (
 	AciNetworkProviderFieldSystemIdentifier                     = "systemId"
 	AciNetworkProviderFieldTenant                               = "tenant"
 	AciNetworkProviderFieldToken                                = "token"
+	AciNetworkProviderFieldTolerationSeconds                    = "tolerationSeconds"
 	AciNetworkProviderFieldUseAciAnywhereCRD                    = "useAciAnywhereCrd"
 	AciNetworkProviderFieldUseAciCniPriorityClass               = "useAciCniPriorityClass"
 	AciNetworkProviderFieldUseClusterRole                       = "useClusterRole"
@@ -110,18 +112,15 @@ const (
 
 type AciNetworkProvider struct {
 	AEP                                  string              `json:"aep,omitempty" yaml:"aep,omitempty"`
-	AccProvisionOperatorMemoryLimit      string              `json:"accProvisionOperatorMemoryLimit,omitempty" yaml:"accProvisionOperatorMemoryLimit,omitempty"`
-	AccProvisionOperatorMemoryRequest    string              `json:"accProvisionOperatorMemoryRequest,omitempty" yaml:"accProvisionOperatorMemoryRequest,omitempty"`
 	AciContainersControllerMemoryLimit   string              `json:"aciContainersControllerMemoryLimit,omitempty" yaml:"aciContainersControllerMemoryLimit,omitempty"`
 	AciContainersControllerMemoryRequest string              `json:"aciContainersControllerMemoryRequest,omitempty" yaml:"aciContainersControllerMemoryRequest,omitempty"`
 	AciContainersHostMemoryLimit         string              `json:"aciContainersHostMemoryLimit,omitempty" yaml:"aciContainersHostMemoryLimit,omitempty"`
 	AciContainersHostMemoryRequest       string              `json:"aciContainersHostMemoryRequest,omitempty" yaml:"aciContainersHostMemoryRequest,omitempty"`
 	AciContainersMemoryLimit             string              `json:"aciContainersMemoryLimit,omitempty" yaml:"aciContainersMemoryLimit,omitempty"`
 	AciContainersMemoryRequest           string              `json:"aciContainersMemoryRequest,omitempty" yaml:"aciContainersMemoryRequest,omitempty"`
-	AciContainersOperatorMemoryLimit     string              `json:"aciContainersOperatorMemoryLimit,omitempty" yaml:"aciContainersOperatorMemoryLimit,omitempty"`
-	AciContainersOperatorMemoryRequest   string              `json:"aciContainersOperatorMemoryRequest,omitempty" yaml:"aciContainersOperatorMemoryRequest,omitempty"`
 	AciMultipod                          string              `json:"aciMultipod,omitempty" yaml:"aciMultipod,omitempty"`
 	AciMultipodUbuntu                    string              `json:"aciMultipodUbuntu,omitempty" yaml:"aciMultipodUbuntu,omitempty"`
+	AddExternalContractToDefaultEpg      string              `json:"addExternalContractToDefaultEpg,omitempty" yaml:"addExternalContractToDefaultEpg,omitempty"`
 	AddExternalSubnetsToRdconfig         string              `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"`
 	ApicHosts                            []string            `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"`
 	ApicRefreshTickerAdjust              string              `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"`
@@ -140,6 +139,7 @@ type AciNetworkProvider struct {
 	DurationWaitForNetwork               string              `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"`
 	DynamicExternalSubnet                string              `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"`
 	EnableEndpointSlice                  string              `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"`
+	EnableOpflexAgentReconnect           string              `json:"enableOpflexAgentReconnect,omitempty" yaml:"enableOpflexAgentReconnect,omitempty"`
 	EncapType                            string              `json:"encapType,omitempty" yaml:"encapType,omitempty"`
 	EpRegistry                           string              `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"`
 	GbpPodSubnet                         string              `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"`
@@ -166,6 +166,7 @@ type AciNetworkProvider struct {
 	NoPriorityClass                      string              `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"`
 	NoWaitForServiceEpReadiness          string              `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"`
 	NodePodIfEnable                      string              `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"`
+	NodeSnatRedirectExclude              []map[string]string `json:"nodeSnatRedirectExclude,omitempty" yaml:"nodeSnatRedirectExclude,omitempty"`
 	NodeSubnet                           string              `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"`
 	OVSMemoryLimit                       string              `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"`
 	OVSMemoryRequest                     string              `json:"ovsMemoryRequest,omitempty" yaml:"ovsMemoryRequest,omitempty"`
@@ -175,10 +176,12 @@ type AciNetworkProvider struct {
 	OpflexAgentOpflexAsyncjsonEnabled    string              `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"`
 	OpflexAgentOvsAsyncjsonEnabled       string              `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"`
 	OpflexAgentPolicyRetryDelayTimer     string              `json:"opflexAgentPolicyRetryDelayTimer,omitempty" yaml:"opflexAgentPolicyRetryDelayTimer,omitempty"`
+	OpflexAgentStatistics                string              `json:"opflexAgentStatistics,omitempty" yaml:"opflexAgentStatistics,omitempty"`
 	OpflexClientSSL                      string              `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"`
 	OpflexDeviceDeleteTimeout            string              `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"`
 	OpflexDeviceReconnectWaitTimeout     string              `json:"opflexDeviceReconnectWaitTimeout,omitempty" yaml:"opflexDeviceReconnectWaitTimeout,omitempty"`
 	OpflexMode                           string              `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"`
+	OpflexOpensslCompat                  string              `json:"opflexOpensslCompat,omitempty" yaml:"opflexOpensslCompat,omitempty"`
 	OpflexServerPort                     string              `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"`
 	OverlayVRFName                       string              `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"`
 	PBRTrackingNonSnat                   string              `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"`
@@ -202,6 +205,7 @@ type AciNetworkProvider struct {
 	SystemIdentifier                     string              `json:"systemId,omitempty" yaml:"systemId,omitempty"`
 	Tenant                               string              `json:"tenant,omitempty" yaml:"tenant,omitempty"`
 	Token                                string              `json:"token,omitempty" yaml:"token,omitempty"`
+	TolerationSeconds                    string              `json:"tolerationSeconds,omitempty" yaml:"tolerationSeconds,omitempty"`
 	UseAciAnywhereCRD                    string              `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"`
 	UseAciCniPriorityClass               string              `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"`
 	UseClusterRole                       string              `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"`
  • tests/v2/codecoverage/package/Dockerfile+1 1 modified
    @@ -178,7 +178,7 @@ ENV CATTLE_CLI_VERSION v2.8.0
 ENV CATTLE_BASE_UI_BRAND=
 
 # Please update the api-ui-version in pkg/settings/settings.go when updating the version here.
-ENV CATTLE_API_UI_VERSION 1.1.10
+ENV CATTLE_API_UI_VERSION 1.1.11
 
 RUN mkdir -p /var/log/auditlog
 ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.