vscode-openshift-tools icon indicating copy to clipboard operation
vscode-openshift-tools copied to clipboard

Published 20 hours ago verified publisher icon redhat-developer

Cannot use cluster where I cannot list all nor get the current namespace but can use it

Open adietish opened this issue 11 months ago • 0 comments

In the following steps a new context is created and used, where there's no current namespace. Furthermore the user is not allowed to list all namespaces nor inspect the current namespace (kubectl get namespace default fails) but it can be used to list pods within it (kubectl get pods -n default works).

Steps:

  1. ASSERT: use minikube
  2. EXEC: apply the following RBAC rules
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: can-read-pods
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: user1
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: can-read-pods
  apiGroup: rbac.authorization.k8s.io
  1. EXEC: create a new user context and switch to it
openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=group1"
openssl x509 -req -in user1.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out user1.crt -days 500
kubectl config set-credentials user1 --client-certificate=user1.crt --client-key=user1.key
kubectl config set-context user1-context --cluster=minikube --user=user1
kubectl config use-context user1-context

Result: I have no resource tree to work with. I am shown the 3 buttons to login, choose a context (where user1-context is not listed because it's the current one) or add an openshift cluster. image

For the context:

$ oc auth can-i get namespace
no
$ oc auth can-i get pod
yes
$ oc get namespaces
Error from server (Forbidden): namespaces is forbidden: User "user1" cannot list resource "namespaces" in API group "" at the cluster scope
$ oc get pod -n default
NAME                           READY   STATUS             RESTARTS        AGE
sise-deploy-69d88467b4-vhfsd   0/1     CrashLoopBackOff   94 (2m5s ago)   8h

Expected result: I should be able to see the resource tree with the current namespace.

adietish avatar Mar 19 '24 14:03 adietish