search

jinnovation / kele.el

🥤 Spritzy Kubernetes cluster management for Emacs
https://jonathanj.in/kele.el/
Apache License 2.0
72 stars 4 forks source link

Proxy server readiness check needs to respect auth #191

Open jinnovation opened 2 months ago

jinnovation commented 2 months ago

Not all users have permission to query /readyz or /livez; attempting to do so returns an error.

> curl 127.0.0.1:8001/readyz
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}%

Currently, attempting to create a proxy server via kele.el in such scenarios simply retries over and over again (ready-p drops the error) until it eventually fails.

Two things need to happen (not necessarily all in this ticket):

  1. ready-p needs to detect no-auth scenario and fail immediately
  2. proxy-get needs a different wait mechanism if user does not have the right auth.
jinnovation commented 2 months ago

Might be able to use SelfSubjectAccessReview to check if user has permission to query readyz and livez. Specifically, .spec.nonResourceAttributes.

jinnovation commented 2 months ago

Turns out this can be due to the user not being logged into the server. Example output from kubectl auth can-i:

> kubectl auth can-i get /authz
error: You must be logged in to the server (Unauthorized)