Skip to content

/kubectl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

get --watch specifying a resource uses "watch list" instead of "watch" API #305

Closed
jethrogb opened this Issue Feb 20, 2018 · 10 comments

Comments

Assignees
No one assigned
Labels
area/kubectl kind/bug priority/P2 sig/cli
Projects
  
Closed in kubectl prioritized bugs
Milestone
No milestone
6 participants
@jethrogb @fejta-bot @stealthybox @seans3 @liggitt @k8s-ci-robot
@jethrogb
Copy link

jethrogb commented Feb 20, 2018

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see http://kubernetes.io/docs/troubleshooting/.): no

What keywords did you search in Kubernetes issues before filing this one? (If you have found any duplicates, you should instead reply there.): watch

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.7", GitCommit:"b30876a5539f09684ff9fde266fda10b37738c9c", GitTreeState:"clean", BuildDate:"2018-01-16T21:59:57Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.7", GitCommit:"b30876a5539f09684ff9fde266fda10b37738c9c", GitTreeState:"clean", BuildDate:"2018-01-16T21:52:38Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Cloud provider or hardware configuration: Bare metal
  • OS (e.g. from /etc/os-release): Ubuntu Xenial
  • Kernel (e.g. uname -a): 4.4.0-104-generic #127-Ubuntu
  • Install tools: kubeadm
  • Others:

What happened:
When running kubectl get RESOURCETYPE --watch OBJECTNAME, it uses the "watch list" API with a fieldSelector on the resource name. If the current role doesn't allow watch list for this resource type, this results in a 403.

What you expected to happen:
I expected the "watch" API to be used.

How to reproduce it (as minimally and precisely as possible):

# Setup RBAC on your account to allow watch but not watch list
$ kubectl --v=6 get cm -n swdist swdist --watch|&grep GET
I0220 22:20:41.482970    2907 round_trippers.go:436] GET https://10.245.0.1:443/api/v1/namespaces/swdist/configmaps/swdist 200 OK in 9 milliseconds
I0220 22:20:41.492379    2907 round_trippers.go:436] GET https://10.245.0.1:443/api/v1/namespaces/swdist/configmaps?fieldSelector=metadata.name%3Dswdist&resourceVersion=0&watch=true 403 Forbidden in 1 milliseconds

Anything else we need to know:
@fejta-bot

This comment has been minimized.

Sign in to view
Copy link

fejta-bot commented May 21, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale label May 21, 2018

@jethrogb

This comment has been minimized.

Sign in to view
Copy link
Author

jethrogb commented May 21, 2018

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale label May 21, 2018

@stealthybox

This comment has been minimized.

Sign in to view
Copy link

stealthybox commented Aug 16, 2018

I can confirm that this is still using the WatchList api for specific resources:

kubectl get pod/nginx-64f497f8fd-6qxk5 -w -v6  2>&1 | grep GET
I0815 19:17:41.101640   89726 round_trippers.go:405] GET https://10.22.191.4:6443/api/v1/namespaces/default/pods/nginx-64f497f8fd-6qxk5 200 OK in 36 milliseconds
I0815 19:17:41.115014   89726 round_trippers.go:405] GET https://10.22.191.4:6443/api/v1/namespaces/default/pods?fieldSelector=metadata.name%3Dnginx-64f497f8fd-6qxk5&resourceVersion=0&watch=true 200 OK in 6 milliseconds
^C

kubectl version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-18T11:36:43Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:08:34Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}
@seans3

This comment has been minimized.

Sign in to view
Copy link
Collaborator

seans3 commented Sep 25, 2018

/kind bug
/sig cli
/area kubectl
/priority P2

@k8s-ci-robot k8s-ci-robot added kind/bug sig/cli area/kubectl priority/P2 labels Sep 25, 2018

@stealthybox

This comment has been minimized.

Sign in to view
Copy link

stealthybox commented Sep 29, 2018

I just noticed this in the 1.12 release notes.
It looks like this is intentional behavior of client-go.
/watch is now deprecated in favor of passing ?watch=true.

ref: kubernetes/kubernetes#65147

@seans3 seans3 added this to Low priority in kubectl prioritized bugs Oct 5, 2018

@fejta-bot

This comment has been minimized.

Sign in to view
Copy link

fejta-bot commented Dec 28, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale label Dec 28, 2018

@jethrogb

This comment has been minimized.

Sign in to view
Copy link
Author

jethrogb commented Dec 28, 2018

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale label Dec 28, 2018

@jethrogb jethrogb referenced this issue Dec 28, 2018

Merged

document /watch prefix deprecation #65147

@liggitt

This comment has been minimized.

Sign in to view
Copy link
Member

liggitt commented Dec 28, 2018

as of 1.11, watch requests with a fieldSelector scoped to a single metadata.name can be authorized using an individual watch permission. see kubernetes/kubernetes#63469

/close
@k8s-ci-robot

This comment has been minimized.

Sign in to view
Copy link
Contributor

k8s-ci-robot commented Dec 28, 2018

@liggitt: Closing this issue.

In response to this:

as of 1.11, watch requests with a fieldSelector scoped to a single metadata.name can be authorized using an individual watch permission. see kubernetes/kubernetes#63469

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot closed this Dec 28, 2018

kubectl prioritized bugs automation moved this from Priority P2 to Closed Dec 28, 2018

@jethrogb

This comment has been minimized.

Sign in to view
Copy link
Author

jethrogb commented Dec 28, 2018

Great!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.