Improved message when not authorised to list namespaces

[vgibilmanno]

I can't use kubebox when I only have access to a namespace in a cluster. It would be awesome if I could use kubebox just for the namespace I have access to, ignoring everything outside the namespace.

[vgibilmanno]

@astefanutti The tokens are different. The first 190 characters are identical. The next some thousand characters are different.

[astefanutti]

I don't understand why it does not work when a token generated with AWS CLI, that verifies correctly, is copied into the kubeconfig file and used by Kubebox. And why a token generated within Kubebox does not verify!

I've stumbled upon kubernetes-sigs/aws-iam-authenticator#157. I'm not sure if that applies to that issue to some extent.

[astefanutti]

@vgibilmanno could you try:

$ curl -k -v -H "Authorization: Bearer `aws-iam-authenticator token -i SOMEOTHERNAME -r arn:aws:iam::SOMEROLEID:role/SOMEROLE | jq -r .status.token`" https://OMITTED.amazonaws.com/api/v1/namespaces/SOMENAMESPACE/pods

[vgibilmanno]

@astefanutti This one worked!

*   Trying SOMEIP:443...
* TCP_NODELAY set
* Connected to OMMITED.amazonaws.com (SOMEIP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=kube-apiserver
*  start date: Jan 23 14:39:32 2019 GMT
*  expire date: Nov 17 23:02:45 2020 GMT
*  issuer: CN=kubernetes
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5653cfda06e0)
> GET /api/v1/namespaces/SOMENAMESPACE/pods HTTP/2
> Host: OMMITED.amazonaws.com
> User-Agent: curl/7.66.0
> Accept: */*
> Authorization: Bearer SOMETOKEN
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< audit-id: c62fa312-7120-426b-970e-9663a90ec01f
< content-type: application/json
< date: Fri, 29 Nov 2019 15:58:25 GMT
<
{
  "kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/namespaces/SOMENAMESPACE/pods",
    "resourceVersion": "82672454"
  },
  "items": [SOMEITEMS]
* Connection #0 to host OMMITED.amazonaws.com left intact

[astefanutti]

@vgibilmanno, good, what about:

$ curl -k -v -H "Authorization: Bearer `aws-iam-authenticator token -i SOMEOTHERNAME -r arn:aws:iam::SOMEROLEID:role/SOMEROLE | jq -r .status.token`" https://OMITTED.amazonaws.com/

$ curl -k -v -H "Authorization: Bearer `aws-iam-authenticator token -i SOMEOTHERNAME -r arn:aws:iam::SOMEROLEID:role/SOMEROLE | jq -r .status.token`" https://OMITTED.amazonaws.com/api

$ curl -k -v -H "Authorization: Bearer `aws-iam-authenticator token -i SOMEOTHERNAME -r arn:aws:iam::SOMEROLEID:role/SOMEROLE | jq -r .status.token`" https://OMITTED.amazonaws.com/api/v1/namespaces

[vgibilmanno]

@astefanutti Only the 2. command worked. The other fails with statuscode 403 Forbidden. The 2. command has the following response body:

"kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "OMITTED.compute.internal:443"
    }
  ]

I tried the following command and it worked too returning a huge json object:

$ curl -k -v -H "Authorization: Bearer aws-iam-authenticator token -i SOMEOTHERNAME -r arn:aws:iam::SOMEROLEID:role/SOMEROLE | jq -r .status.token" https://OMITTED.amazonaws.com/api/v1

[astefanutti]

@vgibilmanno thanks a lot. Can you confirm the following command returns 403:

$ curl -k -v -H "Authorization: Bearer `aws-iam-authenticator token -i SOMEOTHERNAME -r arn:aws:iam::SOMEROLEID:role/SOMEROLE | jq -r .status.token`" https://OMITTED.amazonaws.com/api/v1/namespaces

[vgibilmanno]

@astefanutti Yes

HTTP/2 403
< audit-id: 31bb7393-cefd-414b-8956-898135d0da83
< content-type: application/json
< x-content-type-options: nosniff
< content-length: 347
< date: Fri, 29 Nov 2019 16:56:30 GMT
<
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "namespaces is forbidden: User \"SOMEUSER\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "namespaces"
  },
  "code": 403
* Connection #0 to host OMITTED.amazonaws.com left intact

[astefanutti]

OK so I think we've nail down the root cause of this issue. Your user account is not granted permission to list namespaces.

As as work-around, could you update your kubeconfig file and add the namespace you have access to, e.g.:

- context:
    cluster: SOMENAME
    user: SOMENAME
    namespace: NAMESPACE
...

Then run Kubebox.

[vgibilmanno]

@astefanutti ok yes now it works. But it seems like I don't have permissions to see the resources usage metrics. I can execute kubectl top pod though. Well... better than nothing :) I hope I didn't waste too much of your time.

[astefanutti]

@vgibilmanno great! thanks for the feedback. Resources usage metrics requires extra permissions to proxy nodes.

Thanks a lot for your collaboration on this. I think we can let that issue open so that we improve the error message when the user is granted permission to list the namespaces and no namespace is provided.

[bradam12]

I'm 99% sure this issue will cover this but I get an ugly error when I try and list namespaces. I only have access to a single namespace, and it works fine otherwise, but if I hit N to list namespaces this comes up. I understand why it won't let me, but catching the error with a better message would be cool.

[astefanutti]

@bradamson thanks a lot for the feedback. I agree with your suggestion to catch the error and display a proper message in the namespaces list box, instead of dumping the stack trace.