Cannot run with viewer role

ahmetb / kubectl-tree

kubectl plugin to browse Kubernetes object hierarchies as a tree 🎄 (star the repo if you are using)

Apache License 2.0

2.95k stars 120 forks source link

Cannot run with viewer role #9

Open tjun opened 4 years ago

tjun commented 4 years ago

In querying APIs, failed to list secret and cannot show the result.

When I try to run kubectl tree with viewer role, got the following error:

Error: error while querying api objects: listing resources failed (/v1, Resource=secrets): 
secrets is forbidden: User "user@example.com" cannot list resource "secrets" in API group "" at the cluster scope: Required "container.secrets.list" permission.

hasheddan commented 4 years ago

Hi @tjun! I believe this could be solved by just updating your role to have list permissions on Secret objects. Do you have permissions in you cluster to modify RBAC?

ahmetb commented 4 years ago

I think we’re talking about GKE Viewer role here. Have you tried “viewer” role in Kubernetes rbac?

I suspect GKE Viewer doesn’t let the subject to view Secrets in a cluster, for a good reason.

tjun commented 4 years ago

Thanks!

Have you tried “viewer” role in Kubernetes rbac?

Yes, I already have a viewer role in Kubernetes rbac for the target namespace. Doesn't have cluster level viewer role. I think kubectl-tree try to fetch Secrets on other namespace(default)?

ahmetb commented 4 years ago

Kubectl tree tries to retrieve every single API resource in your cluster.

In the future we might introduce an --ignore-inaccessible option (and log those failures as warnings), but for now we flat out fail.