kubens cannot switch if user doesn't have container.namespaces.get permission

[paulanunda]

I use kubectx/kns to switch between multiple GKE clusters spread across multiple Google accounts. Occasionally, I'll switch to a context that my current user is unable to access. When I run kns, I get the following:

$ kns
Error from server (Forbidden): namespaces is forbidden: User "paul@***" cannot list namespaces at the cluster scope: No policy matched.
Required "container.namespaces.list" permission.

How would I go about updating the user that kubectx is using so that it uses the correct user? In the past, I've had to create a whole new context to get it working again.

[ahmetb]

kubens just calls kubectl config set-context [CURRENT_CTX] --namespace=[NS] to update the current context with the specified namespace.

If you call kubens NAME with a NAME that you have access to, it should work?

You can do some surgery by editing ~/.kube/config, but I'm not exactly sure if that's what you want.

[paulanunda]

I was able to duplicate the issue. The way I resolved it was by setting the users.user.auth-provider.config.expiry to a date in the past in ~/.kube/config. I guess the gcloud cli caches the authenticated user for period of time and kubens just uses the current user.

If you call kubens NAME with a NAME that you have access to, it should work?

It didn't work.

[ahmetb]

You're right. It looks like we are looking up all namespaces to see if the namespace we're trying to switch to exists.

We need this because I don't want people to be run kubens NAME with a typo in the NAME and then get some weird error from kubectl.

kubectl config set-context --namespace does not validate this, but kubens does.

We might do a kubectl get namespace NAME instead of listing via kubectl get namespaces to check existence.

But that's tricky. We'd need to rely on the output message of kubectl get namespace NAME and look for NotFound to tell if the command failed due to some other reason, or whether namespace doesn't exist.

Can you test if kubectl get namespace NAME works with a namespace you have access to? I'm not sure if your (and other people's) RBAC allows "get" on namespace.

[paulanunda]

paul in ~
$ kctx CONTEXT-I-DONT-HAVE-ACCESS-TO-WITH-CURRENT-GCLOUD-USER
Switched to context "CONTEXT-I-DONT-HAVE-ACCESS-TO-WITH-CURRENT-GCLOUD-USER".
paul in ~
$ kubectl get namespace NAMESPACE_NAME
Error from server (Forbidden): namespaces "NAMESPACE_NAME" is forbidden: User "EMAIL-ADDRESS" cannot get namespaces in the namespace "NAMESPACE_NAME": Required "container.namespaces.get" permission.

[ahmetb]

yeah I'm afraid without container.namespaces.get we can't perform this check and I want to keep that check in kubens. 😟

[ahmetb]

I believe this is a WONTFIX for now.