kubectx
kubectx copied to clipboard
ahmetb
Make namespaceExists check optional on switch
Context
When we want to switch the namespace we run switchNamespace. This function makes a verification to check if the namespace we are switching to exists.
Problem
On some occasions we don't have access to listing all namespaces as namespaceExists requires. The result is that kubens becomes useless.
Solution
Adding a flag --no-verify (just an example) that skips this verification and changes the context even if the namespace doesn't exist.
Contribution
I'd love to contribute and add this piece of code if it makes sense to the project. Let's discuss a good way of doing this.
This is a duplicate of #83 and #19.
Presumably, we fixed this in #236 as we migrated from namespaces.list to namespaces.get on the specific namespace.
Can you please confirm are you in a situation where you can browses the resources under the specific namespace, but not GET that Namespace object itself (kubectl get namespace NAME fails with a permission denied error)? I am suspecting this rarely is the case out there in the world, and if that's the case.
We currently check if GET Namespace returns an 404 Not Found to determine if the namespace doesn't exist. But we can assume 403 Forbidden also means the namespace exists and we can let you switch into that.
@vitorfhc if you still have the same set up, it would be great if you can confirm this:
Can you please confirm are you in a situation where you can browses the resources under the specific namespace, but not GET that Namespace object itself (
kubectl get namespace NAMEfails with a permission denied error)?
@ahmetb you are quite right, a rare situation.
➜ ~ kubectl get namespace aui-dev
Error from server (Forbidden): namespaces "xxxxx" is forbidden: User "vitor" cannot get resource "namespaces" in API group "" in the namespace "xxxxx"
Even though this is a rare situation, I believe it would be interesting to add a flag which ignores the verification of namespace's existence.
@druvv you can always obtain the bash version of kubens from the root of the repository which doesn't have this problem. This issue is present only in the Go implementation.
In many corporate (and other) clusters listing og even a get on a namespace is restricted.
I think in the spirit of what one wants to achieve dropping the pre-check and rather failing on the other end is a better option.
Btw, the bash implementation also has this issue if you don't have get namespace permissions.
Using kubectl auth can-i one can determine if one has permissions in the namespace.
The question is which resource should be preferred as a bare minimum, "everybody must have this".
➜ ~ kubectl auth can-i get pods # In an existing namespace I have permissions in
yes
➜ ~ kubens does-not-exist
Context "nnn" modified.
Active namespace is "does-not-exist".
➜ ~ kubectl auth can-i get pods
no
Based on this - still looking for a better "permission" to check, but:
# Ref https://github.com/ahmetb/kubectx/blob/master/kubens#L101
switch_namespace() {
local ctx="${1}"
local ns="${2}"
local ret=0
local verb="get"
local resource="pods"
local perm="${verb} ${resource}"
if $KUBECTL -n ${ns} auth can-i ${verb} ${resource} >/dev/null 2>&1
then
$KUBECTL config set-context "${ctx}" --namespace="${ns}"
echo "Active namespace is \"${ns}\".">&2
else
echo "Not changing active namespace to \"${ns}\", as permission to \"${perm}\" is missing."
ret=1
fi
return ${ret}
}
And
# https://github.com/ahmetb/kubectx/blob/master/kubens#L128
set_namespace() {
local ctx prev
ctx="$(current_context)" || exit_err "error getting current context"
prev="$(current_namespace)" || exit_error "error getting current namespace"
if ! switch_namespace "${ctx}" "${1}"; then
echo "Failed to swich namespace to ${1}"
fi
}
Then switching namespace will look like this
➜ ~ kubens asdf
Not changing active namespace to "asdf", as permission to "get pods" is missing.
Failed to swich namespace to asdf
➜ ~ kubens valid-ns
Context "nnn" modified.
Active namespace is "valid-ns".