k9s
k9s copied to clipboard
derailed
k9s fails to connect if only namespace access is provided without access to selfsubjectaccessreviews and access to list all namespaces
Describe the bug k9s relies on access to selfsubjectaccessreviews and access to all namespaces. Requesting to remove that requirement please so that cluster with only specific namespace can be visualized in k9s tool.
It is possible to connect to kubernetes cluster using kubectl properly. kubectl get pods / kubectl get jobs command give successful response.
However trying to connect using k9s keeps giving error:
kubectl get pods
NAME READY STATUS RESTARTS AGE
shmpri-p-jg8lh 0/1 ImagePullBackOff 0 21h
k9s -n $MY_NAMESPACE_NAME
Error: [list] access denied on resource "shmpri":"v1/pods"
...
panic: [list] access denied on resource "shmpri":"v1/pods"
goroutine 1 [running]:
github.com/derailed/k9s/cmd.Execute()
github.com/derailed/k9s/cmd/root.go:72 +0x80
main.main()
github.com/derailed/k9s/main.go:32 +0x1c
K9s logs indicate error in accessing selfsubjectaccessreviews and all namespace list ... our admin can't provide access to these for security reasons.
[90m2:08PM[0m [32mINF[0m [1m🐶 K9s starting up...[0m
[90m2:08PM[0m [33mWRN[0m [1m Dial Failed![0m [36merror=[0m[31m[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"[0m[0m
[90m2:08PM[0m [33mWRN[0m [1mnamespace validation failed for: "shmpri"[0m [36merror=[0m[31m[1m"user not authorized to list all namespaces"[0m[0m
[90m2:08PM[0m [32mINF[0m [1m✅ Kubernetes connectivity[0m
[90m2:08PM[0m [33mWRN[0m [1mnamespace validation failed for: "shmpri"[0m [36merror=[0m[31m[1m"user not authorized to list all namespaces"[0m[0m
[90m2:08PM[0m [33mWRN[0m [1m Dial Failed![0m [36merror=[0m[31m[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"[0m[0m
[90m2:08PM[0m [33mWRN[0m [1m Dial Failed![0m [36merror=[0m[31m[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"[0m[0m
[90m2:08PM[0m [33mWRN[0m [1mFail CRDs load[0m [36merror=[0m[31m[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"[0m[0m
[90m2:08PM[0m [33mWRN[0m [1m Dial Failed![0m [36merror=[0m[31m[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"[0m[0m
[90m2:08PM[0m [31mERR[0m [1mComponent init failed for "Pod"[0m [36merror=[0m[31m[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"[0m[0m
[90m2:08PM[0m [31mERR[0m [1mDefault run command failed "pod"[0m [36merror=[0m[31m[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"[0m[0m
[90m2:08PM[0m [31mERR[0m [1mComponent init failed for "Pod"[0m [36merror=[0m[31m[1m"[list] access denied on resource \"shmpri\":\"v1/pods\""[0m[0m
To Reproduce Steps to reproduce the behavior:
- Create kubernetes cluster.
- Create namespace 'shmpri'.
- Remove access to selfsubjectaccessreviews and all namespaces to user account 'unicman'. Give full access to 'unicman' for all resources of namespace 'shmpri'. This includes resources like pods and services but not ones like namespaces and nodes.
-
brew install kubernetes-clion Mac laptop. -
brew install k9son Mac laptop. - Generate kubeconfig to connect to cluster and specifically namespace 'shmpri'. Ensure
~/.kube/configis present. - Execute
kubectl apply -f <sample.yaml>. sample.yaml can be any standard pod / job deployment. Issue is not about it so it doesn't matter what you would use. - Execute
kubectl get pods. Ensure that pod(s) are visible in 'shmpri' namespace. - Execute
k9s. Expected behavior is text UI would open and allow k8s resources to be viewed. But it fails. - Execute
k9s -n shmpri. Expected behavior is text UI would open and allow k8s resources to be viewed. But it fails.
Historical Documents N/A
Expected behavior k9s should allow traversing all pods and jobs etc in namespace 'shmpri'.
Screenshots Console output pasted above.
Versions (please complete the following information):
- OS: Mac OS Sonoma 14.4.1
- K9s:
k9s version
____ __.________
| |/ _/ __ \______
| < \____ / ___/
| | \ / /\___ \
|____|__ \ /____//____ >
\/ \/
Version: v0.32.4
Commit: d3027c8f2916b23606f647f47b434b08fc34bdf8
Date: 2024-03-20T19:16:59Z
- K8s:
kubectl version
Client Version: v1.30.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.26.2
Additional context N/A
I'm encountering the same bug. It can be reproduced when a nonexistent namespace or one that for which my user doesn't have credentials is used.
I would suggest adding a new check at startup, in the InitConnection function, and reuse the CanI function to make sure we can at least get pods.
https://github.com/derailed/k9s/blob/626bde11f31e08cf8081bced7d911f6d121582fc/internal/client/client.go#L147
if that's not possible, we should fallback to showing the context switch panel when starting the app
https://github.com/derailed/k9s/blob/626bde11f31e08cf8081bced7d911f6d121582fc/internal/view/command.go#L213-L215
what's your take on this @derailed ? if it seems like a valid check, I will submit a PR
