k9s
k9s copied to clipboard
derailed
k9s says "no permission" whereas kubectl edit works fine
tl;dr:
https://github.com/derailed/k9s/blob/626bde11f31e08cf8081bced7d911f6d121582fc/internal/view/browser.go#L445-L451
During can-i, the resource name isn't included. Thus, when I only have access to edit specific resources, kubectl edit works, but k9s edit does not.
Describe the bug
We have RBAC setup, s.t. edit rights are only granted on specific resourceNames.
Thus, I can do:
kubectl edit crd/can-edit
But I cannot do:
kubectl edit crd/cannot-edit
When trying to edit can-edit using k9s I get the following in the logs:
[CAN] apiextensions.k8s.io/v1/customresourcedefinitions([patch]) &SelfSubjectAccessReview{ObjectMeta:{ 0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] [{k9s.exe Update authorization.k8s.io/v1 2024-07-04 13:59:36 +0200 CEST FieldsV1 {"f:spec":{"f:resourceAttributes":{".":{},"f:group":{},"f:resource":{},"f:verb":{},"f:version":{}}}} }]},Spec:SelfSubjectAccessReviewSpec{ResourceAttributes:&ResourceAttributes{Namespace:,Verb:patch,Group:apiextensions.k8s.io,Version:v1,Resource:customresourcedefinitions,Subresource:,Name:,},NonResourceAttributes:nil,},Status:SubjectAccessReviewStatus{Allowed:false,Reason:,EvaluationError:,Denied:false,},} <<<nil>>>
current user can't edit resource apiextensions.k8s.io/v1/customresourcedefinitions
The call needs to be made in such a way, that the resource-name is included.
To Reproduce Steps to reproduce the behavior:
Have some RBAC using a role such as this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: selective-crd-admin
rules:
- apiGroups: [ "someapi" ]
resources: [ "someresource" ]
verbs: [ "*" ]
resourceNames:
- "can-edit"
- Verify you don't have access before adding this RBAC.
- Verify you have access using
kubectl editafter applying the RBAC - Try editing the resource using k9s
Expected behavior
k9s needs to include the resource name during can-i
- K9s: 0.32.5
