Allow setting namespace when no permission to list namespaces

[josalmi]

We have users that are only allowed to access single namespace in the cluster with very restricted permissions. It would be nice to have option to set namespace to context even when user doesn't have permission to list all namespaces. Ideally kubens could verify from user if they want to set namespace even if it can't verify the namespace exists or to have a flag like --force to set without verifying.

This it what happens now even if namespace exists but user doesn't have right to list namespaces:

$ kubens helloworld
Error from server (Forbidden): namespaces is forbidden: User "josalmi" cannot list namespaces at the cluster scope: Required "container.namespaces.list" permission.
error: no namespace exists with name "helloworld".

[ahmetb]

This came up once before in #19.

Primarily, not being able to list namespaces straight out makes the kubens (without args) command useless. Now with recently added interactive mode that ability more important than ever.

Secondarily, Kubernetes has no namespace validity checks for the set-context command, therefore kubens enforces this. There might be a better way to enforce this (like kubectl get ns [VALUE]==successful)

I'll think about what we can do here. There might be a low-hanging fruit like the one I mentioned above.

[ahmetb]

I just re-read #19, and apparently in that person's case, users didn't have the namespaces.get permission). @josalmi are your users able to kubectl get ns [NAME]?

[josalmi]

It seems that the feature request in issue 19 is exactly the same as I'm requesting.

At the moment they are not able to run kubectl get ns [NAME] but I guess that could be arranged. My current workaround for the single cluster that I switch to using kubetx is running kubectl config set-context $(kubectl config current-context) --namespace=helloworld manually.

Being able to run kubens would make my workflow more consistent and being able to rely on kubens in all cases. As said I think it's very reasonable to validate namespace if that is possible, but it would be nice for users to have option to override this with say the --force flag when it's not possible.

[tomaaron]

I wasn't aware that you can work in a namespace without having permission to get the namespace.

I've already worked on being able to switch to a namespace without listing all namespaces. Unluckily there's a validity check which needs to get namespace permission before. See my initial changes tomaaron@cfd4801.

@ahmetb If you have another idea what to do when a user isn't able to list/get a namespace but wants change to it, let me know! I'm happy to contribute or adapt my initial changes.

[ahmetb]

@tomaaron My concerns around your implementation would be that the check permissions etc causes ~.3-.5s overhead (per kubectl call) times three –for all kubens users.

Again, I'm not entirely convinced that kubens is useful for people who can't list/get namespaces. These users seem to be a very small percentage, and in that case, I don't think we should try to satisfy them.

Maybe we can add a -f/--force flag as suggested above, but that would not only complicate the code, but also make the kubens command (without args) and its tab completion completely useless.

[ahmetb]

If/when we rewrite this in Go (#115), we can solve this without introducing additional overhead to rest of the kubens users who don't have this RBAC problem.

[pixie79]

We have the same issue, no cluster wide option to list namespaces only access granted to known namespaces

[hungpr0]

Hello,

I have this need also. It would be nice if you can implement this feature or add --force
We restrict the list namespace permission but user still can work normally on their namespace.

Thank you!

[mory91]

Hi,
I implemented -f idea in #215. What do you think?

[smnbbrv]

Could this issue receive more attention? This kills the whole idea of the tool

[ahmetb]

This was fixed for the Go implementation in master with #236. I didn’t make a release for it yet, but feel free to give it a try.

[smnbbrv]

That's super! Do you plan a release soon? :)

[TreeKat71]

Hope I get try the new feature soon

[morhook]

I've tested this with latest version of kubens (go based, not the bash-one), and it's working ok! Maybe we should close this ticket now?

[TreeKat71]

OS: mac
Install by homebrew and I replace the kubens and kubectx under kubectx/0.9.0/bin.
But I still can't use kubens to list or switch to other namespace.

error: failed to query if namespace exists (is cluster accessible?): failed to list namespaces from k8s API: namespaces is forbidden: User "u-sau3pmriea" cannot list resource "namespaces" in API group "" at the cluster scope

Is it error message related?

[ahmetb]

@TreeKat71 likely not. Homebrew still distributes the bash implementation. Please make sure you're checking which executable you have (bash or go).

[TreeKat71]

Hi @ahmetb,
I mean I install kubectx from homebrew and I replace kubectx and kubens with go version.
kubectx is 2.6M and kubens is 30M, I think it is go version.
Did I set it correctly?

[ahmetb]

Yes but as I said above the fix is in master, but not tagged as a version yet.

[TreeKat71]

I see. I used the release 0.9. Thanks!

I build from master and it works fine!