Unable to use Kubernetes Explorer without permission to read namespaces

[horodchukanton]

Expected Behavior

According to https://github.com/GoogleCloudPlatform/cloud-code-intellij/issues/2697, the context's namespace should be used by default and I should see a list of deployments(/pods/replicasets?)

Actual Behavior

Plugin fails to build a list of available namespaces, because I don't have a permission to list the namespaces.

Additional Information

• IDE type: IntelliJ (e.g. IntelliJ, Pycharm):
• IDE version: IntelliJ IDEA 2022.1 (Ultimate Edition) Build #IU-221.5080.210
• Cloud Code version: 22.3.1-213
• Cloud SDK:
  • Are you allowing the plugin to manage the Cloud SDK: yes
  • Version of the Cloud SDK: 381.0.0
• Skaffold version: v1.36.1
• Operating System: MacOS Monterey 12.3 (Intel)

Context definition in .kube/config

  contexts:
  - context:
      cluster: te[hidden].com
      namespace: shipping
      user: oidc
    name: te[hidden].com
  current-context: te[hidden].com

[horodchukanton]

Would be happy to share more information if necessary

[etanshaul]

Hello. Just to confirm, when you run kubectl get namespaces you also get permission errors right? I think this is a limitation currently in our plugin that has come up before, and we will explore options to resolve this. cc @ivanporty in case I missed something.

[horodchukanton]

@etanshaul Yes, I receive the same error on CLI

[hidden]@MacBook-Pro ~ % kubectl get namespaces
Error from server (Forbidden): namespaces is forbidden: User "[hidden]" cannot list resource "namespaces" in API group "" at the cluster scope

And as in the mentioned issue (https://github.com/GoogleCloudPlatform/cloud-code-intellij/issues/2697), I can retrieve the namespace configured in the .kube/config

[hidden]@MacBook-Pro ~ % kubectl config view -o jsonpath='{.contexts[0].context.namespace}'
shipping

[etanshaul]

Sounds good. thanks. I am going to leave this issue open to track progress here. We'll circle back with questions / updates.

[horodchukanton]

Update: Same error on latest version (22.4.1-213)

[ivanporty]

Thanks for the report @horodchukanton! This is a limitation of our cluster explorer at the moment - we assume we can read namespaces in the cluster to proceed. We might be coming with the current context view only too sometime in the future - this should work for you - you can see your current context (and its namespace) resources, as long as you don't access other namespaces, right?

[horodchukanton]

@ivanporty Thanks for the response ) Yep, it will work for me

I understand that {.contexts[0].context.namespace} will work with a single namespace per context and if I will have permissions for two of them, I'll have to use separate contexts for each (if that's possible). But, I'm not familiar enough with Kubernetes to suggest a better solution.

[horodchukanton]

UPD. This is how Kubernetes plugin deals with the problem

[ivanporty]

Thank you @horodchukanton, this is a good suggestion. We are planning to work on it some time soon to allow your use case in our Kubernetes Explorer, and post updates here in this issue.