-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verify access to a namespace before listing it in the list of namespaces #7158
Comments
Duplicate of #6785 /close |
@floreks: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
IMO this is not a duplicate of #6785. This feature is necessary for multi-tenant clusters in which isolation is done via namespaces. Here is how the endpoint currently responds in e.g. a shared cluster where users' namespaces are segregated (and those users do not have list namespaces RBAC in the cluster):
With this response, the user sees the following namespace dropdown: So in summary: in clusters where users do not have RBAC to list namespaces, there needs to be a programmatic way to modify the list of namespaces returned by Kubeapps has implemented something similar (we worked w/ them on it) where you can configure a values https://github.com/vmware-tanzu/kubeapps/blob/main/chart/kubeapps/values.yaml#L1614-L1626 I opened a related issue here: #8496 |
This makes a lot of sense. there's no security issue because RBAC is enforcing everything, it's just a better UX
I wrote the impersonation implementation, not sure I'd want to mix with impersonation because that could impact security depending on the way the the impersonation headers are enabled via RBAC |
@mlbiam do you know if we could open a PR and have it reviewed by the reviewers? Or what the process is for something like this? |
What would you like to be added?
Presently, the dashboard lists all namespaces, even if the user has no access. There's an error in the upper right that doesn't stop users from doing their tasks, but it isn't a great UX. Instead, the dashboard can do a get on each namespace in the list to verify access. If a user can't
read
a namespace, don't show it. Kiali does this and it makes for a much cleaner UX in a multi-tenant environment. Here's the code kiali runs - https://github.com/kiali/kiali/blob/8191532af24f5f93c9534eada25d0557bbc0996a/business/namespaces.go#L115I'm happy to submit a PR is the team would be willing to accept it
Why is this needed?
Limiting the namespaces listed provides for a better UX when accessing the dashboard. Users don't try to access resources they don't have access to and don't get flooded with error messages.
The text was updated successfully, but these errors were encountered: