@rancher/shell 0.3.20 → 0.3.22

package/middleware/authenticated.js

@@ -15,6 +15,7 @@ import dynamicPluginLoader from '@shell/pkg/dynamic-plugin-loader';
 import { AFTER_LOGIN_ROUTE, WORKSPACE } from '@shell/store/prefs';
 import { BACK_TO } from '@shell/config/local-storage';
 import { NAME as FLEET_NAME } from '@shell/config/product/fleet.js';
+import { canViewResource } from '@shell/utils/auth';
 
 const getPackageFromRoute = (route) => {
   if (!route?.meta) {
@@ -133,20 +134,7 @@ function invalidResource(store, to, redirect) {
     return false;
   }
 
-  // Note - don't use the current products store... because products can override stores for resources with `typeStoreMap`
-  const inStore = store.getters['currentStore'](resource);
-  // There's a chance we're in an extension's product who's store could be anything, so confirm schemaFor exists
-  const schemaFor = store.getters[`${ inStore }/schemaFor`];
-
-  // In order to check a resource is valid we need these
-  if (!inStore || !schemaFor) {
-    return false;
-  }
-
-  // Resource is valid if a schema exists for it (standard resource, spoofed resource) or it's a virtual resource
-  const validResource = schemaFor(resource) || store.getters['type-map/isVirtual'](resource);
-
-  if (validResource) {
+  if (canViewResource(store, resource)) {
     return false;
   }
 

package/mixins/__tests__/chart.test.ts

@@ -0,0 +1,40 @@
+import { createLocalVue } from '@vue/test-utils';
+import Vuex from 'vuex';
+import ChartMixin from '@shell/mixins/chart';
+import { OPA_GATE_KEEPER_ID } from '@shell/pages/c/_cluster/gatekeeper/index.vue';
+
+describe('chartMixin', () => {
+  const testCases = [[null, 0], [OPA_GATE_KEEPER_ID, 1], ['any_other_id', 0]];
+
+  it.each(testCases)(
+    'should add OPA deprecation warning properly', (chartId, expected) => {
+      const localVue = createLocalVue();
+
+      localVue.use(Vuex);
+      localVue.mixin(ChartMixin);
+
+      const store = new Vuex.Store({
+        getters: {
+          currentCluster: () => {},
+          isRancher:      () => true,
+          'catalog/repo': () => {
+            return () => 'repo';
+          },
+          'catalog/chart': () => {
+            return () => ({ id: chartId });
+          },
+          'i18n/t': () => jest.fn()
+        }
+      });
+
+      const vm = localVue.extend({});
+      const instance = new vm({ store });
+
+      instance.$route = { query: { chart: 'chart_name' } };
+
+      const warnings = instance.warnings;
+
+      expect(warnings).toHaveLength(expected);
+    }
+  );
+});

package/mixins/chart.js

@@ -8,6 +8,7 @@ import { CATALOG as CATALOG_ANNOTATIONS } from '@shell/config/labels-annotations
 import { SHOW_PRE_RELEASE, mapPref } from '@shell/store/prefs';
 import { NAME as EXPLORER } from '@shell/config/product/explorer';
 import { NAME as MANAGER } from '@shell/config/product/manager';
+import { OPA_GATE_KEEPER_ID } from '@shell/pages/c/_cluster/gatekeeper/index.vue';
 
 import { formatSi, parseSi } from '@shell/utils/units';
 import { CAPI, CATALOG } from '@shell/config/types';
@@ -185,6 +186,10 @@ export default {
         }
       }
 
+      if (this.chart?.id === OPA_GATE_KEEPER_ID) {
+        warnings.unshift(this.t('gatekeeperIndex.deprecated', {}, true));
+      }
+
       return warnings;
     },
 

package/models/catalog.cattle.io.clusterrepo.js

@@ -29,11 +29,15 @@ export default class ClusterRepo extends SteveModel {
     return out;
   }
 
-  refresh() {
+  async refresh() {
     const now = (new Date()).toISOString().replace(/\.\d+Z$/, 'Z');
 
     this.spec.forceUpdate = now;
-    this.save();
+    await this.save();
+
+    await this.waitForState('active', 10000, 1000);
+
+    this.$dispatch('catalog/load', { force: true, reset: true }, { root: true });
   }
 
   get isGit() {

package/models/fleet.cattle.io.cluster.js

@@ -1,4 +1,4 @@
-import { MANAGEMENT, NORMAN } from '@shell/config/types';
+import { LOCAL_CLUSTER, MANAGEMENT, NORMAN } from '@shell/config/types';
 import { CAPI, FLEET as FLEET_LABELS } from '@shell/config/labels-annotations';
 import { _RKE2 } from '@shell/store/prefs';
 import SteveModel from '@shell/plugins/steve/steve-class';
@@ -34,7 +34,7 @@ export default class FleetCluster extends SteveModel {
       enabled:  !!this.links.update
     });
 
-    if (!this.isRke2) {
+    if (this.canChangeWorkspace) {
       insertAt(out, 3, {
         action:     'assignTo',
         label:      'Change workspace',
@@ -79,6 +79,14 @@ export default class FleetCluster extends SteveModel {
     return false;
   }
 
+  get canChangeWorkspace() {
+    return !this.isRke2 && !this.isLocal;
+  }
+
+  get isLocal() {
+    return this.metadata.name === LOCAL_CLUSTER || this.metadata?.labels?.[FLEET_LABELS.CLUSTER_NAME] === LOCAL_CLUSTER;
+  }
+
   get isRke2() {
     const provider = this?.metadata?.labels?.[CAPI.PROVIDER] || this?.status?.provider;
 

package/models/fleet.cattle.io.gitrepo.js

@@ -1,3 +1,4 @@
+import Vue from 'vue';
 import { convert, matching, convertSelectorObj } from '@shell/utils/selector';
 import jsyaml from 'js-yaml';
 import { escapeHtml, randomStr } from '@shell/utils/string';
@@ -32,7 +33,8 @@ export default class GitRepo extends SteveModel {
 
     spec.paths = spec.paths || [];
     spec.clientSecretName = spec.clientSecretName || null;
-    spec.correctDrift = { enabled: false };
+
+    Vue.set(spec, 'correctDrift', { enabled: false });
 
     set(this, 'spec', spec);
     set(this, 'metadata', meta);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rancher/shell",
-  "version": "0.3.20",
+  "version": "0.3.22",
   "description": "Rancher Dashboard Shell",
   "repository": "https://github.com/rancherlabs/dashboard",
   "license": "Apache-2.0",

package/pages/c/_cluster/fleet/index.vue

@@ -377,6 +377,7 @@ export default {
         :title="`${t('resourceDetail.masthead.workspace')}: ${ws.nameDisplay}`"
         :is-collapsed="isCollapsed[ws.id]"
         :is-title-clickable="true"
+        :data-testid="`collapsible-card-${ ws.id }`"
         @toggleCollapse="toggleCollapse($event, ws.id)"
         @titleClick="setWorkspaceFilterAndLinkToGitRepo(ws.id)"
       >
@@ -411,6 +412,7 @@ export default {
               <span v-if="ws.type === 'namespace'"> - </span>
               <CompoundStatusBadge
                 v-else
+                data-testid="clusters-ready"
                 :tooltip-text="getTooltipInfo('clusters', row)"
                 :badge-class="getStatusInfo('clusters', row).badgeClass"
                 :icon="getStatusInfo('clusters', row).icon"
@@ -421,6 +423,7 @@ export default {
               <span v-if="ws.type === 'namespace'"> - </span>
               <CompoundStatusBadge
                 v-else
+                data-testid="bundles-ready"
                 :tooltip-text="getTooltipInfo('bundles', row)"
                 :badge-class="getStatusInfo('bundles', row).badgeClass"
                 :icon="getStatusInfo('bundles', row).icon"
@@ -429,6 +432,7 @@ export default {
             </template>
             <template #cell:resourcesReady="{row}">
               <CompoundStatusBadge
+                data-testid="resources-ready"
                 :tooltip-text="getTooltipInfo('resources', row)"
                 :badge-class="getStatusInfo('resources', row).badgeClass"
                 :icon="getStatusInfo('resources', row).icon"

package/pages/c/_cluster/gatekeeper/index.vue

@@ -3,10 +3,16 @@ import { NAME, CHART_NAME } from '@shell/config/product/gatekeeper';
 import InstallRedirect from '@shell/utils/install-redirect';
 import ChartHeading from '@shell/components/ChartHeading';
 import SortableTable from '@shell/components/SortableTable';
+import { Banner } from '@components/Banner';
 import { CONSTRAINT_VIOLATION_CONSTRAINT_LINK, CONSTRAINT_VIOLATION_COUNT, CONSTRAINT_VIOLATION_TEMPLATE_LINK } from '@shell/config/table-headers';
 import { GATEKEEPER } from '@shell/config/types';
+
+export const OPA_GATE_KEEPER_ID = 'cluster/rancher-charts/rancher-gatekeeper';
+
 export default {
-  components: { ChartHeading, SortableTable },
+  components: {
+    ChartHeading, SortableTable, Banner
+  },
   middleware: InstallRedirect(NAME, CHART_NAME),
   async fetch() {
     const constraints = this.constraint ? [this.constraint] : await this.$store.dispatch('cluster/findAll', { type: GATEKEEPER.SPOOFED.CONSTRAINT });
@@ -49,6 +55,9 @@ export default {
       :label="t('gatekeeperIndex.poweredBy')"
       url="https://github.com/open-policy-agent/gatekeeper"
     />
+    <Banner color="warning">
+      <span v-clean-html="t('gatekeeperIndex.deprecated', {}, true)" />
+    </Banner>
     <div class="spacer" />
     <div class="mb-10">
       <h2><t k="gatekeeperIndex.violations" /></h2>

package/pages/c/_cluster/uiplugins/index.vue

@@ -243,9 +243,9 @@ export default {
 
       all = all.map((chart) => {
         // Label can be overridden by chart annotation
-        const label = uiPluginAnnotation(UI_PLUGIN_CHART_ANNOTATIONS.DISPLAY_NAME) || chart.chartNameDisplay;
+        const label = uiPluginAnnotation(chart, UI_PLUGIN_CHART_ANNOTATIONS.DISPLAY_NAME) || chart.chartNameDisplay;
         const item = {
-          name:         chart.chartNameDisplay,
+          name:         chart.chartName,
           label,
           description:  chart.chartDescription,
           id:           chart.id,
@@ -305,7 +305,7 @@ export default {
         if (!chart) {
           // A plugin is loaded, but there is no chart, so add an item so that it shows up
           const rancher = typeof p.metadata?.rancher === 'object' ? p.metadata.rancher : {};
-          const label = rancher[UI_PLUGIN_CHART_ANNOTATIONS.DISPLAY_NAME] || p.name;
+          const label = rancher.annotations?.[UI_PLUGIN_CHART_ANNOTATIONS.DISPLAY_NAME] || p.name;
           const item = {
             name:           p.name,
             label,

package/plugins/steve/__tests__/header-warnings.spec.ts

@@ -0,0 +1,238 @@
+import { handleKubeApiHeaderWarnings } from '@shell/plugins/steve/header-warnings';
+import { DEFAULT_PERF_SETTING } from '@shell/config/settings';
+
+describe('steve: header-warnings', () => {
+  // eslint-disable-next-line jest/no-hooks
+
+  function setupMocks(settings = {
+    separator:             '299 - ',
+    notificationBlockList: ['299 - unknown field']
+  }) {
+    return {
+      dispatch:     jest.fn(),
+      consoleWarn:  jest.spyOn(console, 'warn').mockImplementation(),
+      consoleDebug: jest.spyOn(console, 'debug').mockImplementation(),
+      rootGetter:   {
+        'management/byId': (resource: string, id: string): { value: string} => {
+          return {
+            value: JSON.stringify({
+              ...DEFAULT_PERF_SETTING,
+              kubeAPI: { warningHeader: settings }
+            })
+          };
+        },
+        'i18n/t': (key: string, { resourceType }: any) => {
+          return `${ key }_${ resourceType }`;
+        }
+      }
+    };
+  }
+
+  function createMockRes( headers = {}, data = { type: inputResourceType }) {
+    return {
+      headers, config: { url: 'unit/test' }, data
+    };
+  }
+
+  function createGrowlResponse(message: string, action = updateKey) {
+    return [
+      'growl/warning',
+      {
+        message, timeout: 0, title: `${ action }_${ inputResourceType }`
+      },
+      { root: true }
+    ];
+  }
+
+  function createConsoleResponse(warnings: string) {
+    return `Validation Warnings for unit/test\n\n${ warnings }`;
+  }
+
+  const inputResourceType = 'abc';
+  const updateKey = 'growl.kubeApiHeaderWarning.titleUpdate';
+  const createKey = 'growl.kubeApiHeaderWarning.titleCreate';
+  const podSecurity = '299 - would violate PodSecurity "restricted:latest": unrestricted capabilities (container "container-0" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (container "container-0" must not set securityContext.runAsNonRoot=false), seccompProfile (pod or container "container-0" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")';
+  const deprecated = "299 - i'm deprecated";
+  const validation = '299 - unknown field "spec.containers[0].__active"';
+
+  describe('no warnings', () => {
+    it('put, no header warning', () => {
+      const mocks = setupMocks();
+
+      handleKubeApiHeaderWarnings(createMockRes(),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'put',
+        true,
+      );
+
+      expect(mocks.dispatch).not.toHaveBeenCalled();
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).not.toHaveBeenCalled();
+    });
+
+    it('post, no header warning', () => {
+      const mocks = setupMocks();
+
+      handleKubeApiHeaderWarnings(createMockRes(),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'post',
+        true,
+      );
+
+      expect(mocks.dispatch).not.toHaveBeenCalled();
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).not.toHaveBeenCalled();
+    });
+
+    it('patch, no header warning', () => {
+      const mocks = setupMocks();
+
+      handleKubeApiHeaderWarnings(createMockRes(),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'patch',
+        true,
+      );
+
+      expect(mocks.dispatch).not.toHaveBeenCalled();
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).not.toHaveBeenCalled();
+    });
+
+    it('get, no header warning', () => {
+      const mocks = setupMocks();
+
+      handleKubeApiHeaderWarnings(createMockRes(),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'get',
+        true,
+      );
+
+      expect(mocks.dispatch).not.toHaveBeenCalled();
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).not.toHaveBeenCalled();
+    });
+
+    it('get, warnings', () => {
+      const mocks = setupMocks();
+
+      handleKubeApiHeaderWarnings(createMockRes( { warnings: ['erg'] }),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'get',
+        true,
+      );
+
+      expect(mocks.dispatch).not.toHaveBeenCalled();
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).not.toHaveBeenCalled();
+    });
+
+    it('blocked (via default config)', () => {
+      const mocks = setupMocks();
+
+      handleKubeApiHeaderWarnings(
+        createMockRes({ warning: validation }),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'put',
+        true
+      );
+
+      expect(mocks.dispatch).not.toHaveBeenCalled();
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).toHaveBeenCalledWith(createConsoleResponse(validation));
+    });
+
+    it('blocked (via custom config)', () => {
+      const mocks = setupMocks({
+        separator:             '299 - ',
+        notificationBlockList: [deprecated]
+      });
+
+      handleKubeApiHeaderWarnings(
+        createMockRes({ warning: deprecated }),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'put',
+        true
+      );
+
+      expect(mocks.dispatch).not.toHaveBeenCalled();
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).toHaveBeenCalledWith(createConsoleResponse(deprecated));
+    });
+
+    it('multi blocked (via custom config)', () => {
+      const mocks = setupMocks({
+        separator:             '299 - ',
+        notificationBlockList: [deprecated, podSecurity]
+      });
+
+      handleKubeApiHeaderWarnings(
+        createMockRes({ warning: `${ deprecated },${ podSecurity }` }),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'put',
+        true
+      );
+
+      expect(mocks.dispatch).not.toHaveBeenCalled();
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).toHaveBeenCalledWith(createConsoleResponse(`${ deprecated }\n${ podSecurity }`));
+    });
+  });
+
+  describe('warnings', () => {
+    it('deprecated', () => {
+      const mocks = setupMocks();
+
+      handleKubeApiHeaderWarnings(
+        createMockRes({ warning: deprecated }),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'put',
+        true,
+      );
+
+      expect(mocks.dispatch).toHaveBeenCalledWith(...createGrowlResponse(deprecated));
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).toHaveBeenCalledWith(createConsoleResponse(deprecated));
+    });
+
+    it('pod security', () => {
+      const mocks = setupMocks();
+
+      handleKubeApiHeaderWarnings(
+        createMockRes({ warning: podSecurity }),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'post',
+        true,
+      );
+
+      expect(mocks.dispatch).toHaveBeenCalledWith(...createGrowlResponse(podSecurity, createKey));
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).toHaveBeenCalledWith(createConsoleResponse(podSecurity));
+    });
+
+    it('deprecated & pod security', () => {
+      const mocks = setupMocks();
+
+      handleKubeApiHeaderWarnings(
+        createMockRes({ warning: `${ deprecated },${ podSecurity }` }),
+        mocks.dispatch,
+        mocks.rootGetter,
+        'put',
+        true,
+      );
+
+      expect(mocks.dispatch).toHaveBeenCalledWith(...createGrowlResponse(`${ deprecated }, ${ podSecurity }` ));
+      expect(mocks.consoleWarn).not.toHaveBeenCalled();
+      expect(mocks.consoleDebug).toHaveBeenCalledWith(createConsoleResponse(`${ deprecated }\n${ podSecurity }`));
+    });
+  });
+});

package/plugins/steve/actions.js

@@ -8,6 +8,7 @@ import isObject from 'lodash/isObject';
 import { classify } from '@shell/plugins/dashboard-store/classify';
 import { NAMESPACE } from '@shell/config/types';
 import jsyaml from 'js-yaml';
+import { handleKubeApiHeaderWarnings } from '@shell/plugins/steve/header-warnings';
 
 export default {
 
@@ -85,7 +86,7 @@ export default {
 
     while (true) {
       try {
-        const out = await makeRequest(this, opt);
+        const out = await makeRequest(this, opt, rootGetters);
 
         if (!opt.depaginate) {
           return out;
@@ -116,7 +117,7 @@ export default {
       }
     }
 
-    function makeRequest(that, opt) {
+    function makeRequest(that, opt, rootGetters) {
       return that.$axios(opt).then((res) => {
         let out;
 
@@ -128,9 +129,7 @@ export default {
 
         finishDeferred(key, 'resolve', out);
 
-        if (opt.method === 'post' || opt.method === 'put') {
-          handleValidationWarnings(res);
-        }
+        handleKubeApiHeaderWarnings(res, dispatch, rootGetters, opt.method);
 
         return out;
       });
@@ -196,24 +195,6 @@ export default {
 
       return Promise.reject(out);
     }
-
-    function handleValidationWarnings(res) {
-      const warnings = (res.headers?.warning || '').split(',');
-
-      if (!warnings.length || !warnings[0]) {
-        return;
-      }
-
-      const message = warnings.reduce((message, warning) => {
-        return `${ message }\n${ warning.trim() }`;
-      }, `Validation Warnings for ${ opt.url }\n`);
-
-      if (process.env.dev) {
-        console.warn(`${ message }\n\n`, res.data); // eslint-disable-line no-console
-      } else {
-        console.debug(message); // eslint-disable-line no-console
-      }
-    }
   },
 
   promptMove({ commit, state }, resources) {

package/plugins/steve/header-warnings.ts

@@ -0,0 +1,91 @@
+import { PerfSettingsWarningHeaders } from '@shell/config/settings';
+import { getPerformanceSetting } from '@shell/utils/settings';
+
+interface HttpResponse {
+  headers?: { [key: string]: string},
+  data?: any,
+  config: {
+    url: string,
+  }
+}
+
+/**
+ * Cache the kube api warning header settings that will determine if they are growled or not
+ */
+let warningHeaderSettings: PerfSettingsWarningHeaders;
+
+/**
+ * Extract sanitised warnings from the warnings header string
+ */
+function kubeApiHeaderWarnings(allWarnings: string): string[] {
+  // Find each warning.
+  // Each warning is separated by `,`... however... this can appear within the warning itself so can't `split` on it
+  // Instead provide a configurable way to split (default 299 - )
+  const warnings = allWarnings.split(warningHeaderSettings.separator) || [];
+
+  // Trim and remove effects of split
+  return warnings.reduce((res, warning) => {
+    const trimmedWarning = warning.trim();
+
+    if (!trimmedWarning) {
+      return res;
+    }
+
+    const fixedWarning = trimmedWarning.endsWith(',') ? trimmedWarning.slice(0, -1) : trimmedWarning;
+
+    // Why add the separator again? It's almost certainly `299 - ` which is important info to include
+    res.push(warningHeaderSettings.separator + fixedWarning);
+
+    return res;
+  }, [] as string[]);
+}
+
+/**
+ * Take action given the `warnings` in the response header of a kube api request
+ */
+// eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
+export function handleKubeApiHeaderWarnings(res: HttpResponse, dispatch: any, rootGetters: any, method: string, refreshCache = false): void {
+  const safeMethod = method?.toLowerCase(); // Some requests have this as uppercase
+
+  // Exit early if there's no warnings
+  if ((safeMethod !== 'post' && safeMethod !== 'put') || !res.headers?.warning) {
+    return;
+  }
+
+  // Grab the required settings
+  if (!warningHeaderSettings || refreshCache) {
+    const settings = getPerformanceSetting(rootGetters);
+
+    // Cache this, we don't need to react to changes within the same session
+    warningHeaderSettings = settings?.kubeAPI.warningHeader;
+  }
+
+  // Determine each warning
+  const sanitisedWarnings = kubeApiHeaderWarnings(res.headers?.warning);
+
+  if (!sanitisedWarnings.length) {
+    return;
+  }
+
+  // Shows warnings as growls
+  const growlWarnings = sanitisedWarnings.filter((w) => !warningHeaderSettings.notificationBlockList.find((blocked) => w.startsWith(blocked)));
+
+  if (growlWarnings.length) {
+    const resourceType = res.data?.type || res.data?.kind || rootGetters['i18n/t']('generic.resource', { count: 1 });
+
+    dispatch('growl/warning', {
+      title:   method === 'put' ? rootGetters['i18n/t']('growl.kubeApiHeaderWarning.titleUpdate', { resourceType }) : rootGetters['i18n/t']('growl.kubeApiHeaderWarning.titleCreate', { resourceType }),
+      message: growlWarnings.join(', '),
+      timeout: 0,
+    }, { root: true });
+  }
+
+  // Print warnings to console
+  const message = `Validation Warnings for ${ res.config.url }\n\n${ sanitisedWarnings.join('\n') }`;
+
+  if (process.env.dev) {
+    console.warn(`${ message }\n\n`, res.data); // eslint-disable-line no-console
+  } else {
+    console.debug(message); // eslint-disable-line no-console
+  }
+}

package/promptRemove/management.cattle.io.project.vue

@@ -71,9 +71,12 @@ export default {
     names() {
       return this.filteredNamespaces.map((obj) => obj.nameDisplay).slice(0, 5);
     },
-    // Only admins and cluster owners can see namespaces outside of projects
-    canSeeProjectlessNamespaces() {
-      return this.currentCluster.canUpdate;
+
+    canManageNamespaces() {
+      // Only admins and cluster owners can see namespaces outside of projects
+      // BUT cluster members can also manage projects and namespaces and may want to not delete the namespaces associated with the project
+      // as per https://github.com/rancher/dashboard/issues/9517 despite the namespaces cannot be seen afterwards (projectless)
+      return this.currentCluster.canUpdate || (this.currentProject.canDelete && this.filteredNamespaces.length && this.filteredNamespaces[0]?.canDelete);
     }
   },
   methods: {
@@ -81,7 +84,7 @@ export default {
     remove() {
       // Delete all of thre namespaces and return false - this tells the prompt remove dialog to continue and delete the project
       // Delete all namespaces if the user wouldn't be able to see them after deleting the project
-      if (this.deleteProjectNamespaces || !this.canSeeProjectlessNamespaces) {
+      if (this.deleteProjectNamespaces || !this.canManageNamespaces) {
         return Promise.all(this.filteredNamespaces.map((n) => n.remove())).then(() => false);
       }
 
@@ -97,7 +100,7 @@ export default {
     <div>
       <div class="mb-10">
         {{ t('promptRemove.attemptingToRemove', { type }) }} <span class="display-name">{{ `${displayName}.` }}</span>
-        <template v-if="!canSeeProjectlessNamespaces">
+        <template v-if="!canManageNamespaces">
           <span class="delete-warning"> {{ t('promptRemove.willDeleteAssociatedNamespaces') }}</span> <br>
           <div
             v-clean-html="resourceNames(names, plusMore, t)"
@@ -106,7 +109,7 @@ export default {
         </template>
       </div>
       <div
-        v-if="filteredNamespaces.length > 0 && canSeeProjectlessNamespaces"
+        v-if="filteredNamespaces.length > 0 && canManageNamespaces"
         class="mt-20 remove-project-dialog"
       >
         <Checkbox