search

GoogleContainerTools / skaffold

Easy and Repeatable Kubernetes Development
https://skaffold.dev/
Apache License 2.0
14.93k stars 1.62k forks source link

Skaffold dev fails when user cannot list deployments at cluster scope #6361

Open MrLuje opened 3 years ago

MrLuje commented 3 years ago

Expected behavior

Running skaffold dev should work without issue if I have the required permissions on the deployed namespace

Actual behavior

Skaffold complains about missing permissions at cluster level to check the deployement, whereas it should only check the it at namespace level

Information

apiVersion: skaffold/v2beta19
kind: Config
metadata:
  name: pricing.proxy.cron
build:
  artifacts:
  - image: pricing.proxy.cron.build
    docker:
      dockerfile: build.dockerfile
      buildArgs:
        AssemblyVersion: 1.0.0.0
        Version: 1.0.0
  - image: pricing.proxy.cron
    requires:
      - image: pricing.proxy.cron.build
        alias: BUILD_IMAGE
    docker:
      dockerfile: cron.dockerfile
      buildArgs:
        AssemblyVersion: 1.0.0.0
        Version: 1.0.0
  tagPolicy:
    gitCommit:
      variant: AbbrevCommitSha
  local:
    useBuildkit: true
deploy:
  helm:
    releases:
    - name: local-pricing-proxy-cron
      chartPath: helm/pricing-proxy-cron
      namespace: dev
      artifactOverrides:
        image: pricing.proxy.cron
      setValues:
        image.repository: pricing.proxy.cron
        replicaCount: 1
      imageStrategy:
        helm: {}

Steps to reproduce the behavior

  1. Make sure to have no namespace defined in kubeconfig 
    - context:
# NO NAMESPACE HERE
cluster: dev_cluster
user: dev_user
name: dev
  2. skaffold dev -f .\skaffold.cron.yml
Helm release local-pricing-proxy-cron not installed. Installing...
NAME: local-pricing-proxy-cron
LAST DEPLOYED: Tue Aug  3 12:09:22 2021
NAMESPACE: dev
STATUS: deployed
REVISION: 1
TEST SUITE: None
Waiting for deployments to stabilize...
Cleaning up...
release "local-pricing-proxy-cron" uninstalled
could not fetch deployments: could not fetch deployments: deployments.apps is forbidden: User "REDACTED" cannot list resource "deployments" in API group "apps" at the cluster scope: requires one of ["container.deployments.list"] permission(s).
kubectl auth can-i list deployments.apps -n dev #proper permission at namespace level
yes

kubectl auth can-i list deployments.apps #not enough permission at cluster level
no - requires one of ["container.deployments.list"] permission(s).

Since the namespace is defined in the release object, I expect it to check the deployement in this namespace and not at cluster level

If a namespace is defined in kubeconfig, it works If a namespace is provided in the skaffold command "skaffold dev -f .\skaffold.cron.yml -n dev", it also works

The issue seems to be occuring during the statusCheck phase, the namespaces property contains "" & "dev", hence making the check at cluster level for ""

https://github.com/GoogleContainerTools/skaffold/blob/250acdff56c17965ee89cf4dde73422764185a0b/pkg/skaffold/kubernetes/status/status_check.go#L141-L154

nkubala commented 3 years ago

@MrLuje thanks for the issue. this does indeed look like an issue with the computed namespaces we operate on when doing a status check. we'll try and get to this one, but if you're feeling up to sending a fix, contributions are of course always welcome.

tejal29 commented 2 years ago

decreasing priority due to low bandwidth.