k8Studio
k8Studio copied to clipboard
guiqui
Can't access cluster: "User needs access to the namespaces resource"
Hi,
Installed the latest alpha (0.2.2-alpha) and trying to access one of my clusters (EKS on AWS) and all I get is this popup:
Clicking on the "edit the accessible namespaces" button does nothing.
More information:
- I am on a MacBook Pro M1 with Sonoma 14.1.1 (23B81)
- My default profile in my
~/.aws/credentialsfile has no access to the cluster - To access the cluster I do
aws sts assume-role --role-arn ...before using helm, eksctl, kubectl, etc.
Any ideas? I understand this is still very much alpha software, so bugs are to be expected, although this could also be an issue on my side.
Let me know if you need more information. Thanks.
Hi Daniel, Thank you for reporting this bug.
A couple of questions:
Did you run aws sts assume-role --role-arn .. before running K8studio?
Also, can you run kubectl auth can-i --list and see if you have access to any namespace?
We are going to set up a similar env in AWS to test, If is not a problem could you share with us the role policies ?
Hi guiqui,
Did you run aws sts assume-role --role-arn .. before running K8studio?
Nope. And I understand this is not an issue with K8studio per-se. All other similar tools behave the same for me, e.g. k9s, OpenLens, etc. also don't allow me to access the cluster unless I assume the proper role before running those.
I'd just love to see a better UI/UX for this use-case. For example when you detect this, why not pop up a dialog that asks the user "Seems like your current AWS user is not allowed to access this cluster. Would you like to assume a different IAM role to access this cluster?" and then have a list of available roles (if you somehow can get this from ~/.aws/credentials maybe) or have an input box that let's the user enter the role's name. Or maybe have a config option somewhere where I can add AWS roles and present those in a dropdown in the popup or something.
Good idea or not, I'll let you decide.
Also, can you run kubectl auth can-i --list and see if you have access to any namespace?
$ aws sts get-caller-identity
{
"UserId": "Axxxx",
"Account": "1xxxx",
"Arn": "arn:aws:iam::1xxx:user/daniel"
}
$ kubectl auth can-i --list
Warning: the list may be incomplete: webhook authorizer does not support user rule resolution
Resources Non-Resource URLs Resource Names Verbs
selfsubjectreviews.authentication.k8s.io [] [] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
That being said, I work with 4 different clusters, 2 in AWS and 2 in GCP. The GCP ones can be accessed without issues.
If is not a problem could you share with us the role policies ?
The role policies are exactly the ones outline here:
- AmazonEC2FullAccess
- AmazonEKSClusterPolicy
- AmazonEKSServicePolicy
- AmazonEKSVPCResourceController
- AmazonEKSWorkerNodePolicy
- AWSCloudFormationFullAccess
I hope this helps. Thanks for looking into it.
Often a role may have rights to a specific namespace, without access to the entire list. Just need the ability to select the namespace manually in advance, how it works in k9s or Lens.
