kube-janitor icon indicating copy to clipboard operation
kube-janitor copied to clipboard

Published 20 hours ago verified publisher icon hjacobs

ClusterRole vs namespaced permissions

Open universam1 opened this issue 5 years ago • 4 comments

Looks like kube-janitor is expecting clusterrole permission level.

However for our least privileged approach we cannot grant clusterrole level permission. @hjacobs could a namespace limited access via Role rather be supported?

│ 2020-03-11T15:53:13.726691299Z requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://10.100.0.1:443/api/v1/namespaces                            │
│ 2020-03-11T15:53:23.731598165Z 2020-03-11 15:53:23,731 DEBUG: Starting new HTTPS connection (1): 10.100.0.1                                                            │
│ 2020-03-11T15:53:23.73769914Z 2020-03-11 15:53:23,737 DEBUG: https://10.100.0.1:443 "GET /api/v1/namespaces HTTP/1.1" 403 297                                          │
│ 2020-03-11T15:53:23.738242474Z 2020-03-11 15:53:23,737 ERROR: Failed to clean up: 403 Client Error: Forbidden for url: https://10.100.0.1:443/api/v1/namespaces        │
│ 2020-03-11T15:53:23.738259476Z Traceback (most recent call last):                                                                                                      │
│ 2020-03-11T15:53:23.738264047Z   File "/kube_janitor/main.py", line 66, in run_loop                                                                                    │
│ 2020-03-11T15:53:23.738267899Z     clean_up(                                                                                                                           │
│ 2020-03-11T15:53:23.738271363Z   File "/kube_janitor/janitor.py", line 279, in clean_up                                                                                │
│ 2020-03-11T15:53:23.738274853Z     for namespace in Namespace.objects(api):                                                                                            │
│ 2020-03-11T15:53:23.738278123Z   File "/usr/local/lib/python3.8/site-packages/pykube/query.py", line 196, in __iter__                                                  │
│ 2020-03-11T15:53:23.738282166Z     return iter(self.query_cache["objects"])                                                                                            │
│ 2020-03-11T15:53:23.738285887Z   File "/usr/local/lib/python3.8/site-packages/pykube/query.py", line 186, in query_cache                                               │
│ 2020-03-11T15:53:23.738297474Z     cache["response"] = self.execute().json()                                                                                           │
│ 2020-03-11T15:53:23.738301192Z   File "/usr/local/lib/python3.8/site-packages/pykube/query.py", line 161, in execute                                                   │
│ 2020-03-11T15:53:23.738304959Z     r.raise_for_status()                                                                                                                │
│ 2020-03-11T15:53:23.738308315Z   File "/usr/local/lib/python3.8/site-packages/requests/models.py", line 940, in raise_for_status                                       │
│ 2020-03-11T15:53:23.738312089Z     raise HTTPError(http_error_msg, response=self)

universam1 avatar Mar 11 '20 15:03 universam1

Yes, I think honoring --include-namespaces if it only has one option makes sense. We don't need to iterate over namespaces if they are already passed on the command line.

hjacobs avatar Mar 11 '20 20:03 hjacobs

That would be amazing! It would harmonize well with its possibility to run as a cron job, to deploy alongside an application

universam1 avatar Mar 11 '20 21:03 universam1

@universam1 would you be willing to do a PR?

hjacobs avatar Mar 12 '20 09:03 hjacobs

sorry @hjacobs I have no exposure to python, golang guy :) But available to help testing!

universam1 avatar Mar 12 '20 10:03 universam1