search

derailed / k9s

🐶 Kubernetes CLI To Manage Your Clusters In Style!
https://k9scli.io
Apache License 2.0
26.41k stars 1.65k forks source link

k9s fails to connect if only namespace access is provided without access to selfsubjectaccessreviews and access to list all namespaces #2687

Open unicman opened 4 months ago

unicman commented 4 months ago




Describe the bug k9s relies on access to selfsubjectaccessreviews and access to all namespaces. Requesting to remove that requirement please so that cluster with only specific namespace can be visualized in k9s tool.

It is possible to connect to kubernetes cluster using kubectl properly. kubectl get pods / kubectl get jobs command give successful response.

However trying to connect using k9s keeps giving error:

kubectl get pods                                                          
NAME                 READY   STATUS             RESTARTS   AGE
shmpri-p-jg8lh   0/1     ImagePullBackOff   0          21h

k9s -n $MY_NAMESPACE_NAME                                                 
Error: [list] access denied on resource "shmpri":"v1/pods"

...

panic: [list] access denied on resource "shmpri":"v1/pods"

goroutine 1 [running]:
github.com/derailed/k9s/cmd.Execute()
    github.com/derailed/k9s/cmd/root.go:72 +0x80
main.main()
    github.com/derailed/k9s/main.go:32 +0x1c

K9s logs indicate error in accessing selfsubjectaccessreviews and all namespace list ... our admin can't provide access to these for security reasons.

2:08PM INF 🐶 K9s starting up...
2:08PM WRN   Dial Failed! error="selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"
2:08PM WRN namespace validation failed for: "shmpri" error="user not authorized to list all namespaces"
2:08PM INF ✅ Kubernetes connectivity
2:08PM WRN namespace validation failed for: "shmpri" error="user not authorized to list all namespaces"
2:08PM WRN   Dial Failed! error="selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"
2:08PM WRN   Dial Failed! error="selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"
2:08PM WRN Fail CRDs load error="selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"
2:08PM WRN   Dial Failed! error="selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"
2:08PM ERR Component init failed for "Pod" error="selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"
2:08PM ERR Default run command failed "pod" error="selfsubjectaccessreviews.authorization.k8s.io is forbidden: User \"unicman\" cannot create resource \"selfsubjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope: Authorization failed"
2:08PM ERR Component init failed for "Pod" error="[list] access denied on resource \"shmpri\":\"v1/pods\""

To Reproduce Steps to reproduce the behavior:

  1. Create kubernetes cluster.
  2. Create namespace 'shmpri'.
  3. Remove access to selfsubjectaccessreviews and all namespaces to user account 'unicman'. Give full access to 'unicman' for all resources of namespace 'shmpri'. This includes resources like pods and services but not ones like namespaces and nodes.
  4. brew install kubernetes-cli on Mac laptop.
  5. brew install k9s on Mac laptop.
  6. Generate kubeconfig to connect to cluster and specifically namespace 'shmpri'. Ensure ~/.kube/config is present.
  7. Execute kubectl apply -f <sample.yaml> . sample.yaml can be any standard pod / job deployment. Issue is not about it so it doesn't matter what you would use.
  8. Execute kubectl get pods . Ensure that pod(s) are visible in 'shmpri' namespace.
  9. Execute k9s . Expected behavior is text UI would open and allow k8s resources to be viewed. But it fails.
  10. Execute k9s -n shmpri . Expected behavior is text UI would open and allow k8s resources to be viewed. But it fails.

Historical Documents N/A

Expected behavior k9s should allow traversing all pods and jobs etc in namespace 'shmpri'.

Screenshots Console output pasted above.

Versions (please complete the following information):

Version: v0.32.4 Commit: d3027c8f2916b23606f647f47b434b08fc34bdf8 Date: 2024-03-20T19:16:59Z

- K8s:

kubectl version
Client Version: v1.30.0 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.26.2



**Additional context**
N/A
clementnuss commented 2 months ago

I'm encountering the same bug. It can be reproduced when a nonexistent namespace or one that for which my user doesn't have credentials is used.

I would suggest adding a new check at startup, in the InitConnection function, and reuse the CanI function to make sure we can at least get pods. https://github.com/derailed/k9s/blob/626bde11f31e08cf8081bced7d911f6d121582fc/internal/client/client.go#L147

if that's not possible, we should fallback to showing the context switch panel when starting the app

https://github.com/derailed/k9s/blob/626bde11f31e08cf8081bced7d911f6d121582fc/internal/view/command.go#L213-L215

what's your take on this @derailed ? if it seems like a valid check, I will submit a PR