Cannot run with viewer role

[tjun]

In querying APIs, failed to list secret and cannot show the result.

When I try to run kubectl tree with viewer role, got the following error:

Error: error while querying api objects: listing resources failed (/v1, Resource=secrets): 
secrets is forbidden: User "[email protected]" cannot list resource "secrets" in API group "" at the cluster scope: Required "container.secrets.list" permission.

[hasheddan]

Hi @tjun! I believe this could be solved by just updating your role to have list permissions on Secret objects. Do you have permissions in you cluster to modify RBAC?

[ahmetb]

I think we’re talking about GKE Viewer role here. Have you tried “viewer” role in Kubernetes rbac?

I suspect GKE Viewer doesn’t let the subject to view Secrets in a cluster, for a good reason.

[tjun]

Thanks!

Have you tried “viewer” role in Kubernetes rbac?

Yes, I already have a viewer role in Kubernetes rbac for the target namespace. Doesn't have cluster level viewer role. I think kubectl-tree try to fetch Secrets on other namespace(default)?

[ahmetb]

Kubectl tree tries to retrieve every single API resource in your cluster.

In the future we might introduce an --ignore-inaccessible option (and log those failures as warnings), but for now we flat out fail.