Use equivalent of `kubectl auth can-i` on Kube contexts

[feloy]

Is your enhancement related to a problem? Please describe

The current implementation for checking the connectivity to Kubernetes contexts uses informers. This solution has some drawbacks:

• the informer is not able to detect that the cluster is unreachable; Podman Desktop needs to define a timeout after which the context is considered unreachable, which complicates and makes the result less accurate
• Podman Desktop doesn't know if the user has the credentials to watch the resources, but we are always watching all resources. The user having limited credentials may result in wrong information (for example for nodes, which are generally not readable in shared clusters, for example OpenShift Sandbox)

Describe the solution you'd like

I propose to query the SelfSubjectRulesReview resource in the cluster to check the connectivity to the cluster, before to start informers. The advantages are:

• the request is using a POST HTTP operation, with which Podman Desktop can detect connectivity error (still using some timeout)
• the SelfSubjectRulesReview are expected to be accessible for all users
• Podman Desktop can use the information to start informers only on the resources the user can watch. Ultimately, we could also check the list permission, to have a degraded implementation using list operation and not watch (informers), if the user has list but not watch permissions.

Describe alternatives you've considered

No response

Additional context

No response

[feloy]

cc @deboer-tim @cdrage

[cdrage]

👍 Would really help improvement. I'm assuming this works fine with OpenShift too?

[feloy]

👍 Would really help improvement. I'm assuming this works fine with OpenShift too?

Yes, I have made a quick PoC, and we have access to the information on OpenShift Sandbox

[jeffmaury]

kubernetes client used groups to deal with resource manipulations but noticed we were processing Routes even on non OpenShift clusters so how do this relates ? Does it includes non standard CRDs ?