Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

k9s fails to connect if only namespace access is provided without access to selfsubjectaccessreviews and access to list all namespaces #2687

Open
unicman opened this issue May 1, 2024 · 1 comment

Comments

@unicman
Copy link

unicman commented May 1, 2024




Describe the bug
k9s relies on access to selfsubjectaccessreviews and access to all namespaces. Requesting to remove that requirement please so that cluster with only specific namespace can be visualized in k9s tool.

It is possible to connect to kubernetes cluster using kubectl properly. kubectl get pods / kubectl get jobs command give successful response.

However trying to connect using k9s keeps giving error:

kubectl get pods                                                          
NAME                 READY   STATUS             RESTARTS   AGE
shmpri-p-jg8lh   0/1     ImagePullBackOff   0          21h

k9s -n $MY_NAMESPACE_NAME                                                 
Error: [list] access denied on resource "shmpri":"v1/pods"

...

panic: [list] access denied on resource "shmpri":"v1/pods"

goroutine 1 [running]:
github.com/derailed/k9s/cmd.Execute()
	github.com/derailed/k9s/cmd/root.go:72 +0x80
main.main()
	github.com/derailed/k9s/main.go:32 +0x1c

K9s logs indicate error in accessing selfsubjectaccessreviews and all namespace list ... our admin can't provide access to these for security reasons.

�[90m2:08PM�[0m �[32mINF�[0m �[1m🐶 K9s starting up...�[0m
�[90m2:08PM�[0m �[33mWRN�[0m �[1m  Dial Failed!�[0m �[36merror=�[0m�[31m�[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"�[0m�[0m
�[90m2:08PM�[0m �[33mWRN�[0m �[1mnamespace validation failed for: "shmpri"�[0m �[36merror=�[0m�[31m�[1m"user not authorized to list all namespaces"�[0m�[0m
�[90m2:08PM�[0m �[32mINF�[0m �[1m✅ Kubernetes connectivity�[0m
�[90m2:08PM�[0m �[33mWRN�[0m �[1mnamespace validation failed for: "shmpri"�[0m �[36merror=�[0m�[31m�[1m"user not authorized to list all namespaces"�[0m�[0m
�[90m2:08PM�[0m �[33mWRN�[0m �[1m  Dial Failed!�[0m �[36merror=�[0m�[31m�[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"�[0m�[0m
�[90m2:08PM�[0m �[33mWRN�[0m �[1m  Dial Failed!�[0m �[36merror=�[0m�[31m�[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"�[0m�[0m
�[90m2:08PM�[0m �[33mWRN�[0m �[1mFail CRDs load�[0m �[36merror=�[0m�[31m�[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"�[0m�[0m
�[90m2:08PM�[0m �[33mWRN�[0m �[1m  Dial Failed!�[0m �[36merror=�[0m�[31m�[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"�[0m�[0m
�[90m2:08PM�[0m �[31mERR�[0m �[1mComponent init failed for "Pod"�[0m �[36merror=�[0m�[31m�[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"�[0m�[0m
�[90m2:08PM�[0m �[31mERR�[0m �[1mDefault run command failed "pod"�[0m �[36merror=�[0m�[31m�[1m"selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"�[0m�[0m
�[90m2:08PM�[0m �[31mERR�[0m �[1mComponent init failed for "Pod"�[0m �[36merror=�[0m�[31m�[1m"[list] access denied on resource \"shmpri\":\"v1/pods\""�[0m�[0m

To Reproduce
Steps to reproduce the behavior:

  1. Create kubernetes cluster.
  2. Create namespace 'shmpri'.
  3. Remove access to selfsubjectaccessreviews and all namespaces to user account 'unicman'. Give full access to 'unicman' for all resources of namespace 'shmpri'. This includes resources like pods and services but not ones like namespaces and nodes.
  4. brew install kubernetes-cli on Mac laptop.
  5. brew install k9s on Mac laptop.
  6. Generate kubeconfig to connect to cluster and specifically namespace 'shmpri'. Ensure ~/.kube/config is present.
  7. Execute kubectl apply -f <sample.yaml> . sample.yaml can be any standard pod / job deployment. Issue is not about it so it doesn't matter what you would use.
  8. Execute kubectl get pods . Ensure that pod(s) are visible in 'shmpri' namespace.
  9. Execute k9s . Expected behavior is text UI would open and allow k8s resources to be viewed. But it fails.
  10. Execute k9s -n shmpri . Expected behavior is text UI would open and allow k8s resources to be viewed. But it fails.

Historical Documents
N/A

Expected behavior
k9s should allow traversing all pods and jobs etc in namespace 'shmpri'.

Screenshots
Console output pasted above.

Versions (please complete the following information):

  • OS: Mac OS Sonoma 14.4.1
  • K9s:
k9s version
 ____  __.________       
|    |/ _/   __   \______
|      < \____    /  ___/
|    |  \   /    /\___ \ 
|____|__ \ /____//____  >
        \/            \/ 

Version:    v0.32.4
Commit:     d3027c8f2916b23606f647f47b434b08fc34bdf8
Date:       2024-03-20T19:16:59Z
  • K8s:
kubectl version                                                          
Client Version: v1.30.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.26.2

Additional context
N/A

@clementnuss
Copy link

I'm encountering the same bug. It can be reproduced when a nonexistent namespace or one that for which my user doesn't have credentials is used.

I would suggest adding a new check at startup, in the InitConnection function, and reuse the CanI function to make sure we can at least get pods.

func (a *APIClient) CanI(ns, gvr, name string, verbs []string) (auth bool, err error) {

if that's not possible, we should fallback to showing the context switch panel when starting the app

if c.app.Conn() == nil || !c.app.Conn().ConnectionOK() {
return c.run(cmd.NewInterpreter("context"), "", true)
}

what's your take on this @derailed ? if it seems like a valid check, I will submit a PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants