hcavarsan
commented
6 days ago hey @lcasavola,
thanks for the report.
yeah, to create the client, kftray is listing the namespaces to test the client before create...
i've made a fix for this validation and the change is in this PR: https://github.com/hcavarsan/kftray/pull/312
i'll let you know as soon as i release the new version.
in this new version, with the port-forward configured in kftray, you only need this role at the namespace level for the port forward to work:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: ${NAMESPACE}
name: port-forward-role
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/portforward"]
verbs: ["get", "list", "create"]the service permission is needed for kftray to find the service ports and perform the port forward via pod directly.
and for the pod permission, it's to ensure that if a pod dies, the port forward remains active on another pod.
lcasavola
hello again @hcavarsan, I thought everything was working by allowing get/list namespaces capability to my restricted user but unfortunately it doesn't. I can configure a port forward redirection with no errors but when I started the forward the redirection doesn't work . The app log shows the following error: ERROR kftray_portforward::port_forward] failed to forward connection error=failed to upgrade to a WebSocket connection: failed to switch protocol: 403 Forbidden The same configuration with kubectl works correctly. Rgds Luca