Closed StanMichel closed 3 weeks ago
Hi, there's multiple issues with your approach:
The command you are expecting to work kubectl get pods
rightfully does not work anymore, because the namespace default
is not in a tenant, where alice is an owner of.
I recommend you first going through the documentation: https://projectcapsule.dev/docs/tenants/
Alice needs a dedicated namespace:
KUBECONFIG=alice-oil.kubeconfig kubectl create ns oil-dev
KUBECONFIG=alice-oil.kubeconfig kubectl get pod -n oil-dev
Creating the dedicated namespaces and listing the pods in that namespace as you suggested didn't work with my configuration, but after a clean installation and installing Capsule throughout helm worked for me!
Thanks for your time to response as quickly as you did :) But might I suggest that the supported approach will be reflected in the documentation? The first option in the Getting started section is to install throughout the YAML file.
Bad timing from your side :P, we are on the final steps of migrating to the helm chart https://github.com/projectcapsule/capsule/pull/1065
The documentation will also be deprecated
Bug description
I've created a tenant in a clean Kubernetes cluster, by following the docs. Afterwards, I ran the
hack/create-user.sh
to create a dummy kubeconfig file. With this file exported, I could always list the pods in the newly created tenant. As of today, I get the following error:Note: This always worked for me until this morning
I tested this on a clean Kind & Debian environment.
How to reproduce
Steps to reproduce the behavior:
In a clean Kind environment, I executed the following commands:
kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/master/config/install.yaml
Note: I also tried
apiVersion: capsule.clastix.io/v1beta1
kubectl get tenants
(to verify if the tenantoil
is active)./create-user.sh alice oil
KUBECONFIG=alice-oil.kubeconfig kubectl get pods
(This results in a 403)We've tested this on several macos machines. I'm running Sonoma 14.5
Expected behavior
Not being forbidden when I list the pods - or another k8s resource - when logged in as the tenant owner.
Logs
Additional context
capsule --version
) - the newesthelm list -n capsule-system
) - not installedkubectl version
):