-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
read-only account #19
Comments
@jobace78 Thanks for reporting this! I suspect you're right about the issue being the login check. Could you try logging in again using the failing use case and check the networking tab in the developer tools to verify which api call is failing? If you're correct and we can verify that it's the |
@herbrandson Yes, it's the |
Just to be clear, did you mean it's returning a |
Sure, |
Interesting. 201 should indicate a success. Any chance you could post the response body? Also, are there any other api calls that are failing? I was kinda expecting to see something with a 403 |
Hi, This is the header response:
This is the response: {
"kind": "SelfSubjectAccessReview",
"apiVersion": "authorization.k8s.io/v1",
"metadata": {
"creationTimestamp": null
},
"spec": {
"resourceAttributes": {
}
},
"status": {
"allowed": false
}
} No, this is the only api call I'm able to see. Thanks |
Thanks so much for the additional @jobace78. That's really helpful. I have a suspicion about what's going on now. The To be totally honest, I haven't really tested w/ a read-only account. I really hope this change gets things working for you. I've added a TODO to my list to do some testing w/ a variety of permission combinations. In the mean time, please let me know about any other issues you run into and I'll do my best to resolve them ASAP. Thanks again for the help in chasing this one down! |
FYI I tested it as well but only cluster-admin role can access POST selfsubjectaccessreviews. This is what clusterrole admin is.
|
Interesting. So I only see this section in that role for
So I guess it makes sense that I think I have an idea about how to resolve this so that messing w/ roles wouldn't be required. However, it's going to be at least the weekend before I can get to it (...got family in town this week). |
Hi, I've tried allowing all verbs into apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- get
- list
- proxy
- redirect
- watch
- nonResourceURLs:
- "*"
verbs:
- "*" |
FYI I've tried with this: apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- create
# - delete
# - deletecollection
- get
- list
# - patch
- proxy
- redirect
# - replace
# - update
- watch
- apiGroups:
- authorization.k8s.io
resources:
- "*"
verbs:
- "*"
- nonResourceURLs:
- "*"
verbs:
# - get
# - post
- "*" Unfortunately same error :-( Also, there is no hurry, so even next week will be more than ok :-) Thanks |
Great. Thanks for the additional info and for your patience. I'll let you know when I've made some progress. |
Hey @jobace78. Just wanted to give you a quick status update. I've been making some good progress. I found last evening the this role works...
...but this one doesn't...
This doesn't completely make sense to me though because neither of these include the Thanks again for your patience. |
Hi @herbrandson, let me know if you need I test something else or whatever. Thanks to you :-) |
Thanks so much for offering @jobace78. It's people like you that make working on open source awesome :) I should have something ready for an initial test by EOD. I'll keep you posted. |
@jobace78 I've pushed an update that I'm hoping you can test out for me. It's available at under the "dev" label at The Good:
The Bad:
Anyhow, more progress to come soon. But, I think this at least gets the main issue you are experiencing into a workable state. Let me know how it goes. |
@herbrandson I'm testing the apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- create
# - delete
# - deletecollection
- get
- list
# - patch
- proxy
- redirect
# - replace
# - update
- watch
- nonResourceURLs:
- "*"
verbs:
- "*" As you said, everything is working fine :-) Next month (I'm pretty busy right now) I'll begin to test "restricted" users (reader over one namespace and admin over other namespace for example). I'll keep you posted. Thanks for your amazing work !!! |
Hello 👋 ! |
We really need a update in this topic 😢 |
Hi @herbrandson thanks for this is promising project! Can you say if what is discussed in this issue is released? I'd like to use this UI but in read-only mode or maybe with r:pod v:delete option and I'm not sure if that is even possible now before I start tests. |
Hi,
I'm trying to login with a read-only account into k8dash with no success.
Steps to reproduce:
1.- create ServiceAccount
2.- create ClusterRole
3.- create ClusterRoleBinding
If I modify the ClusterRole verbs by
verbs: ["*"]
I'm able to login, and if I replace the ClusterRole definition with this ClusterRole definition while I'm logged, everything works as expected, so I think the problem could be the login check...Any suggestions?
Thanks in advance,
Joan
The text was updated successfully, but these errors were encountered: