iamNoah1 commented 2 years ago

Bug description

I created a new tenant, logged in with the user and tried to get all namespaces which was successful, but shouldn't.

How to reproduce

Create a K8s cluster in Azure (probably the bug is not related to Azure K8s)
Create a tenant
Create a new user using the hackscript
Log in as a user of the tenant
kubectl get namespaces

Steps to reproduce the behavior:

Provide the Capsule Tenant YAML definitions https://github.com/iamNoah1/capsule-demo/blob/master/manifest.yaml
Provide all managed Kubernetes resources3. Not exactly sure what to provide here.

Expected behavior

Not to be able to see cluster wide namespaces

Logs

If applicable, please provide logs of capsule.

In a standard stand-alone installation of Capsule, you'd get this by running kubectl -n capsule-system logs deploy/capsule-controller-manager.

{"level":"info","ts":"2022-07-15T09:14:28.955Z","logger":"setup","msg":"Capsule Version v0.1.1 1bbaebb"}
{"level":"info","ts":"2022-07-15T09:14:28.955Z","logger":"setup","msg":"Build from: https://github.com/clastix/capsule"}
{"level":"info","ts":"2022-07-15T09:14:28.955Z","logger":"setup","msg":"Build date: 2022-01-11T08:55:56"}
{"level":"info","ts":"2022-07-15T09:14:28.955Z","logger":"setup","msg":"Go Version: go1.16.13"}
{"level":"info","ts":"2022-07-15T09:14:28.955Z","logger":"setup","msg":"Go OS/Arch: linux/amd64"}
{"level":"info","ts":"2022-07-15T09:14:29.213Z","logger":"controller-runtime.metrics","msg":"metrics server is starting to listen","addr":":8080"}
{"level":"info","ts":"2022-07-15T09:14:29.260Z","logger":"controller-runtime.builder","msg":"skip registering a mutating webhook, admission.Defaulter interface is not implemented","GVK":"capsule.clastix.io/v1alpha1, Kind=Tenant"}
{"level":"info","ts":"2022-07-15T09:14:29.260Z","logger":"controller-runtime.builder","msg":"skip registering a validating webhook, admission.Validator interface is not implemented","GVK":"capsule.clastix.io/v1alpha1, Kind=Tenant"}
{"level":"info","ts":"2022-07-15T09:14:29.260Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/convert"}
{"level":"info","ts":"2022-07-15T09:14:29.260Z","logger":"controller-runtime.builder","msg":"conversion webhook enabled","object":{"name":""}}
I0715 09:14:30.355707       1 request.go:665] Waited for 1.045488309s due to client-side throttling, not priority and fairness, request: GET:https://10.0.0.1:443/apis/discovery.k8s.io/v1beta1?timeout=32s
{"level":"info","ts":"2022-07-15T09:14:30.972Z","logger":"setup","msg":"skipping setup of Indexer ingress.HostnamePath for object *v1beta1.Ingress","error":"no matches for kind \"Ingress\" in version \"extensions/v1beta1\""}
{"level":"info","ts":"2022-07-15T09:14:32.709Z","logger":"setup","msg":"skipping setup of Indexer ingress.HostnamePath for object *v1beta1.Ingress","error":"no matches for kind \"Ingress\" in version \"networking.k8s.io/v1beta1\""}
{"level":"info","ts":"2022-07-15T09:14:32.713Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/pods"}
{"level":"info","ts":"2022-07-15T09:14:32.713Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/namespaces"}
{"level":"info","ts":"2022-07-15T09:14:32.713Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/ingresses"}
{"level":"info","ts":"2022-07-15T09:14:32.713Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/persistentvolumeclaims"}
{"level":"info","ts":"2022-07-15T09:14:32.713Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/services"}
{"level":"info","ts":"2022-07-15T09:14:32.713Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/networkpolicies"}
{"level":"info","ts":"2022-07-15T09:14:32.713Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/tenants"}
{"level":"info","ts":"2022-07-15T09:14:32.713Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/namespace-owner-reference"}
{"level":"info","ts":"2022-07-15T09:14:32.713Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/cordoning"}
{"level":"info","ts":"2022-07-15T09:14:32.713Z","logger":"controller-runtime.webhook","msg":"registering webhook","path":"/nodes"}
{"level":"info","ts":"2022-07-15T09:14:32.714Z","logger":"setup","msg":"starting manager"}
I0715 09:14:32.714173       1 leaderelection.go:248] attempting to acquire leader lease capsule-system/42c733ea.clastix.capsule.io...
{"level":"info","ts":"2022-07-15T09:14:32.714Z","logger":"controller-runtime.manager","msg":"starting metrics server","path":"/metrics"}
{"level":"info","ts":"2022-07-15T09:14:32.714Z","logger":"controller-runtime.webhook.webhooks","msg":"starting webhook server"}
{"level":"info","ts":"2022-07-15T09:14:32.715Z","logger":"controller-runtime.certwatcher","msg":"Updated current TLS certificate"}
{"level":"info","ts":"2022-07-15T09:14:32.715Z","logger":"controller-runtime.webhook","msg":"serving webhook server","host":"","port":9443}
{"level":"info","ts":"2022-07-15T09:14:32.715Z","logger":"controller-runtime.certwatcher","msg":"Starting certificate watcher"}
I0715 09:14:49.507497       1 leaderelection.go:258] successfully acquired lease capsule-system/42c733ea.clastix.capsule.io
{"level":"debug","ts":"2022-07-15T09:14:49.507Z","logger":"controller-runtime.manager.events","msg":"Normal","object":{"kind":"ConfigMap","namespace":"capsule-system","name":"42c733ea.clastix.capsule.io","uid":"23b37287-9b2d-4274-9d49-abe5cb1dca46","apiVersion":"v1","resourceVersion":"2327"},"reason":"LeaderElection","message":"capsule-controller-manager-66958595b8-f9pbx_c3aad05f-a2f7-445c-b8f7-7a98b687643a became leader"}
{"level":"debug","ts":"2022-07-15T09:14:49.507Z","logger":"controller-runtime.manager.events","msg":"Normal","object":{"kind":"Lease","namespace":"capsule-system","name":"42c733ea.clastix.capsule.io","uid":"e4f93aeb-af4e-4e23-8c1c-5267c7f3d8fe","apiVersion":"coordination.k8s.io/v1","resourceVersion":"2328"},"reason":"LeaderElection","message":"capsule-controller-manager-66958595b8-f9pbx_c3aad05f-a2f7-445c-b8f7-7a98b687643a became leader"}
{"level":"info","ts":"2022-07-15T09:14:49.507Z","logger":"controller-runtime.manager.controller.capsuleconfiguration","msg":"Starting EventSource","reconciler group":"capsule.clastix.io","reconciler kind":"CapsuleConfiguration","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.507Z","logger":"controller-runtime.manager.controller.capsuleconfiguration","msg":"Starting Controller","reconciler group":"capsule.clastix.io","reconciler kind":"CapsuleConfiguration"}
{"level":"info","ts":"2022-07-15T09:14:49.507Z","logger":"controller-runtime.manager.controller.secret","msg":"Starting EventSource","reconciler group":"","reconciler kind":"Secret","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.507Z","logger":"controller-runtime.manager.controller.secret","msg":"Starting Controller","reconciler group":"","reconciler kind":"Secret"}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.secret","msg":"Starting EventSource","reconciler group":"","reconciler kind":"Secret","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.secret","msg":"Starting Controller","reconciler group":"","reconciler kind":"Secret"}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.tenant","msg":"Starting EventSource","reconciler group":"capsule.clastix.io","reconciler kind":"Tenant","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.tenant","msg":"Starting EventSource","reconciler group":"capsule.clastix.io","reconciler kind":"Tenant","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.tenant","msg":"Starting EventSource","reconciler group":"capsule.clastix.io","reconciler kind":"Tenant","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.tenant","msg":"Starting EventSource","reconciler group":"capsule.clastix.io","reconciler kind":"Tenant","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.tenant","msg":"Starting EventSource","reconciler group":"capsule.clastix.io","reconciler kind":"Tenant","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.tenant","msg":"Starting EventSource","reconciler group":"capsule.clastix.io","reconciler kind":"Tenant","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.tenant","msg":"Starting Controller","reconciler group":"capsule.clastix.io","reconciler kind":"Tenant"}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controllers.Rbac","msg":"setting up ClusterRoles","ClusterRole":"capsule-namespace-provisioner"}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.clusterrole","msg":"Starting EventSource","reconciler group":"rbac.authorization.k8s.io","reconciler kind":"ClusterRole","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.clusterrole","msg":"Starting Controller","reconciler group":"rbac.authorization.k8s.io","reconciler kind":"ClusterRole"}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.clusterrolebinding","msg":"Starting EventSource","reconciler group":"rbac.authorization.k8s.io","reconciler kind":"ClusterRoleBinding","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.clusterrolebinding","msg":"Starting EventSource","reconciler group":"rbac.authorization.k8s.io","reconciler kind":"ClusterRoleBinding","source":{}}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.clusterrolebinding","msg":"Starting Controller","reconciler group":"rbac.authorization.k8s.io","reconciler kind":"ClusterRoleBinding"}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.service","msg":"Starting EventSource","reconciler group":"","reconciler kind":"Service","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.service","msg":"Starting Controller","reconciler group":"","reconciler kind":"Service"}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.endpoints","msg":"Starting EventSource","reconciler group":"","reconciler kind":"Endpoints","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.endpoints","msg":"Starting Controller","reconciler group":"","reconciler kind":"Endpoints"}
{"level":"info","ts":"2022-07-15T09:14:49.508Z","logger":"controller-runtime.manager.controller.endpointslice","msg":"Starting EventSource","reconciler group":"discovery.k8s.io","reconciler kind":"EndpointSlice","source":"kind source: /, Kind="}
{"level":"info","ts":"2022-07-15T09:14:49.509Z","logger":"controller-runtime.manager.controller.endpointslice","msg":"Starting Controller","reconciler group":"discovery.k8s.io","reconciler kind":"EndpointSlice"}
{"level":"info","ts":"2022-07-15T09:14:49.608Z","logger":"controller-runtime.manager.controller.capsuleconfiguration","msg":"Starting workers","reconciler group":"capsule.clastix.io","reconciler kind":"CapsuleConfiguration","worker count":1}
{"level":"info","ts":"2022-07-15T09:14:49.609Z","logger":"controllers.CapsuleConfiguration","msg":"CapsuleConfiguration reconciliation started","request.name":"default"}
{"level":"info","ts":"2022-07-15T09:14:49.609Z","logger":"controllers.CapsuleConfiguration","msg":"CapsuleConfiguration reconciliation finished","request.name":"default"}
{"level":"info","ts":"2022-07-15T09:14:49.608Z","logger":"controller-runtime.manager.controller.secret","msg":"Starting workers","reconciler group":"","reconciler kind":"Secret","worker count":1}
{"level":"info","ts":"2022-07-15T09:14:49.609Z","logger":"controllers.CA","msg":"Reconciling CA Secret","Request.Namespace":"capsule-system","Request.Name":"capsule-ca"}
{"level":"info","ts":"2022-07-15T09:14:49.609Z","logger":"controllers.CA","msg":"Handling CA Secret","Request.Namespace":"capsule-system","Request.Name":"capsule-ca"}
{"level":"info","ts":"2022-07-15T09:14:49.609Z","logger":"controllers.CA","msg":"Updating CA secret with new PEM and RSA","Request.Namespace":"capsule-system","Request.Name":"capsule-ca"}
{"level":"info","ts":"2022-07-15T09:14:49.651Z","logger":"controller-runtime.manager.controller.service","msg":"Starting workers","reconciler group":"","reconciler kind":"Service","worker count":1}
{"level":"info","ts":"2022-07-15T09:14:49.653Z","logger":"controller-runtime.manager.controller.endpointslice","msg":"Starting workers","reconciler group":"discovery.k8s.io","reconciler kind":"EndpointSlice","worker count":1}
{"level":"info","ts":"2022-07-15T09:14:49.653Z","logger":"controller-runtime.manager.controller.endpoints","msg":"Starting workers","reconciler group":"","reconciler kind":"Endpoints","worker count":1}
{"level":"info","ts":"2022-07-15T09:14:49.653Z","logger":"controller-runtime.manager.controller.clusterrolebinding","msg":"Starting workers","reconciler group":"rbac.authorization.k8s.io","reconciler kind":"ClusterRoleBinding","worker count":1}
{"level":"info","ts":"2022-07-15T09:14:49.608Z","logger":"controller-runtime.manager.controller.secret","msg":"Starting workers","reconciler group":"","reconciler kind":"Secret","worker count":1}
{"level":"info","ts":"2022-07-15T09:14:49.653Z","logger":"controllers.Tls","msg":"Reconciling TLS Secret","Request.Namespace":"capsule-system","Request.Name":"capsule-tls"}
{"level":"info","ts":"2022-07-15T09:14:49.608Z","logger":"controller-runtime.manager.controller.clusterrole","msg":"Starting workers","reconciler group":"rbac.authorization.k8s.io","reconciler kind":"ClusterRole","worker count":1}
{"level":"info","ts":"2022-07-15T09:14:49.654Z","logger":"controller-runtime.manager.controller.tenant","msg":"Starting workers","reconciler group":"capsule.clastix.io","reconciler kind":"Tenant","worker count":1}
{"level":"info","ts":"2022-07-15T09:14:49.656Z","logger":"controllers.Tls","msg":"Reconciliation completed, processing back in 4319h59m19.345743514s","Request.Namespace":"capsule-system","Request.Name":"capsule-tls"}
{"level":"info","ts":"2022-07-15T09:14:49.660Z","logger":"controllers.Rbac","msg":"setting up ClusterRoles","ClusterRole":"capsule-namespace-deleter"}
{"level":"info","ts":"2022-07-15T09:14:49.665Z","logger":"controllers.Rbac","msg":"setting up ClusterRoleBindings"}
{"level":"info","ts":"2022-07-15T09:14:49.871Z","logger":"controllers.CA","msg":"Reconciliation completed, processing back in 87671h59m9s","Request.Namespace":"capsule-system","Request.Name":"capsule-ca"}
{"level":"debug","ts":"2022-07-15T09:15:06.293Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"e7c919c9-c4c9-4d67-94df-dca6cc1bd91f","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:15:06.294Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"e7c919c9-c4c9-4d67-94df-dca6cc1bd91f","allowed":true}
{"level":"debug","ts":"2022-07-15T09:15:24.862Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"6e29e858-3301-4d2a-ae2e-aea571907785","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:15:24.862Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"6e29e858-3301-4d2a-ae2e-aea571907785","allowed":true}
{"level":"debug","ts":"2022-07-15T09:16:06.678Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"eeaabfa4-9d02-4052-be40-51254e85863e","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:16:06.678Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"eeaabfa4-9d02-4052-be40-51254e85863e","allowed":true}
{"level":"debug","ts":"2022-07-15T09:16:25.246Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"e04a6a51-1e71-4e29-ad3b-096d8ff0c8bb","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:16:25.247Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"e04a6a51-1e71-4e29-ad3b-096d8ff0c8bb","allowed":true}
{"level":"debug","ts":"2022-07-15T09:17:07.009Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"f07eecae-d121-406c-bf19-a016b5e12479","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:17:07.009Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"f07eecae-d121-406c-bf19-a016b5e12479","allowed":true}
{"level":"debug","ts":"2022-07-15T09:17:25.636Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"af522d4b-4fb3-4c4f-962a-fefcdb2cf44d","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:17:25.636Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"af522d4b-4fb3-4c4f-962a-fefcdb2cf44d","allowed":true}
{"level":"debug","ts":"2022-07-15T09:18:07.363Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"87787cb7-2950-46c6-b139-87b16810a4cd","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:18:07.363Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"87787cb7-2950-46c6-b139-87b16810a4cd","allowed":true}
{"level":"debug","ts":"2022-07-15T09:18:25.991Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"73ad577b-add1-451b-9c02-49aadac0298f","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:18:25.991Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"73ad577b-add1-451b-9c02-49aadac0298f","allowed":true}
{"level":"debug","ts":"2022-07-15T09:19:07.696Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"40581c40-6939-4814-9610-70c535a9e03b","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:19:07.697Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"40581c40-6939-4814-9610-70c535a9e03b","allowed":true}
{"level":"debug","ts":"2022-07-15T09:19:26.318Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"c534c21c-b947-4e97-a3f3-17e8f79839a1","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:19:26.319Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"c534c21c-b947-4e97-a3f3-17e8f79839a1","allowed":true}
{"level":"debug","ts":"2022-07-15T09:20:08.012Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"f3512f54-8b22-441e-bedc-2b8c4e22b91e","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:20:08.012Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"f3512f54-8b22-441e-bedc-2b8c4e22b91e","allowed":true}
{"level":"debug","ts":"2022-07-15T09:20:26.699Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"40b07bcb-8418-49bf-a300-9d613319bddb","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:20:26.699Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"40b07bcb-8418-49bf-a300-9d613319bddb","allowed":true}
{"level":"debug","ts":"2022-07-15T09:21:08.365Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"4e758fcd-26e5-4e9a-b107-4c87325481ab","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:21:08.365Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"4e758fcd-26e5-4e9a-b107-4c87325481ab","allowed":true}
{"level":"debug","ts":"2022-07-15T09:21:13.442Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/tenants","UID":"583ad7e6-09be-48a0-b631-d7eee99accb0","kind":"capsule.clastix.io/v1beta1, Kind=Tenant","resource":{"group":"capsule.clastix.io","version":"v1beta1","resource":"tenants"}}
{"level":"debug","ts":"2022-07-15T09:21:13.445Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/tenants","code":200,"reason":"","UID":"583ad7e6-09be-48a0-b631-d7eee99accb0","allowed":true}
{"level":"info","ts":"2022-07-15T09:21:13.552Z","logger":"controllers.Tenant","msg":"Ensuring limit resources count is updated","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.552Z","logger":"controllers.Tenant","msg":"Ensuring all Namespaces are collected","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Starting processing of Namespaces","Request.Name":"jesters","items":0}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Starting processing of Network Policies","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Starting processing of Limit Ranges","Request.Name":"jesters","items":1}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Starting processing of Resource Quotas","Request.Name":"jesters","items":2}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Desired hard pods quota is 3","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Computed pods quota for the whole Tenant is 0","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Desired hard requests.cpu quota is 2","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Computed requests.cpu quota for the whole Tenant is 0","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Desired hard requests.memory quota is 2Gi","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Computed requests.memory quota for the whole Tenant is 0","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Desired hard limits.cpu quota is 2","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Computed limits.cpu quota for the whole Tenant is 0","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Desired hard limits.memory quota is 2Gi","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Computed limits.memory quota for the whole Tenant is 0","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.571Z","logger":"controllers.Tenant","msg":"Ensuring additional RoleBindings for owner","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.572Z","logger":"controllers.Tenant","msg":"Ensuring RoleBinding for owner","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.572Z","logger":"controllers.Tenant","msg":"Ensuring Namespace count","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.585Z","logger":"controllers.Tenant","msg":"Tenant reconciling completed","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.652Z","logger":"controllers.Tenant","msg":"Ensuring limit resources count is updated","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.652Z","logger":"controllers.Tenant","msg":"Ensuring all Namespaces are collected","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Starting processing of Namespaces","Request.Name":"jesters","items":0}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Starting processing of Network Policies","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Starting processing of Limit Ranges","Request.Name":"jesters","items":1}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Starting processing of Resource Quotas","Request.Name":"jesters","items":2}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Desired hard pods quota is 3","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Computed pods quota for the whole Tenant is 0","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Desired hard requests.memory quota is 2Gi","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Computed requests.memory quota for the whole Tenant is 0","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Desired hard limits.cpu quota is 2","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Computed limits.cpu quota for the whole Tenant is 0","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Desired hard limits.memory quota is 2Gi","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Computed limits.memory quota for the whole Tenant is 0","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Desired hard requests.cpu quota is 2","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Computed requests.cpu quota for the whole Tenant is 0","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Ensuring additional RoleBindings for owner","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Ensuring RoleBinding for owner","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.665Z","logger":"controllers.Tenant","msg":"Ensuring Namespace count","Request.Name":"jesters"}
{"level":"info","ts":"2022-07-15T09:21:13.675Z","logger":"controllers.Tenant","msg":"Tenant reconciling completed","Request.Name":"jesters"}
{"level":"debug","ts":"2022-07-15T09:21:27.175Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"b8aa98a9-7e52-4afd-b7ee-faba971550a4","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:21:27.176Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"b8aa98a9-7e52-4afd-b7ee-faba971550a4","allowed":true}
{"level":"debug","ts":"2022-07-15T09:22:08.840Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"1b7de28e-3e64-4586-ade6-373d3b834961","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:22:08.840Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"1b7de28e-3e64-4586-ade6-373d3b834961","allowed":true}
{"level":"debug","ts":"2022-07-15T09:22:27.687Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"1f7a2849-77be-4e92-8b19-bb8056961e5d","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:22:27.687Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"1f7a2849-77be-4e92-8b19-bb8056961e5d","allowed":true}
{"level":"debug","ts":"2022-07-15T09:23:09.224Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"4591aab7-16a0-4e2e-b983-1a2317816071","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:23:09.224Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"4591aab7-16a0-4e2e-b983-1a2317816071","allowed":true}
{"level":"debug","ts":"2022-07-15T09:23:28.035Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"af81f730-e377-4546-ad8f-e64afe0cdd13","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:23:28.035Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"af81f730-e377-4546-ad8f-e64afe0cdd13","allowed":true}
{"level":"debug","ts":"2022-07-15T09:24:09.535Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"9d40e716-d474-4936-a03c-d6a6c7019c0f","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:24:09.536Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"9d40e716-d474-4936-a03c-d6a6c7019c0f","allowed":true}
{"level":"debug","ts":"2022-07-15T09:24:28.423Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"906b4459-43f9-4bd2-a846-025437134391","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:24:28.423Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"906b4459-43f9-4bd2-a846-025437134391","allowed":true}
{"level":"debug","ts":"2022-07-15T09:25:09.879Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"d7aa3343-d667-489b-8fa0-168cac9ae541","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:25:09.879Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"d7aa3343-d667-489b-8fa0-168cac9ae541","allowed":true}
{"level":"debug","ts":"2022-07-15T09:25:28.862Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"26b951dd-2309-4aa7-b770-e9fd3f9aba17","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:25:28.862Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"26b951dd-2309-4aa7-b770-e9fd3f9aba17","allowed":true}
{"level":"debug","ts":"2022-07-15T09:26:10.226Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"15fc9826-45c3-4f60-8c15-f26bc73a9502","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:26:10.227Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"15fc9826-45c3-4f60-8c15-f26bc73a9502","allowed":true}
{"level":"debug","ts":"2022-07-15T09:26:29.242Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"6887275d-b082-4933-9bf4-28c7bf9d6da9","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:26:29.242Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"6887275d-b082-4933-9bf4-28c7bf9d6da9","allowed":true}
{"level":"debug","ts":"2022-07-15T09:27:10.563Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"11b57180-e988-40d1-8f9a-cd10efd2f7b0","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:27:10.564Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"11b57180-e988-40d1-8f9a-cd10efd2f7b0","allowed":true}
{"level":"debug","ts":"2022-07-15T09:27:29.590Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"7e0fe984-f791-48c8-8523-df6b9b62ef10","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:27:29.590Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"7e0fe984-f791-48c8-8523-df6b9b62ef10","allowed":true}
{"level":"debug","ts":"2022-07-15T09:28:10.975Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"8f0d99e1-4bde-431c-b9fb-17f7d8639f04","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:28:10.975Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"8f0d99e1-4bde-431c-b9fb-17f7d8639f04","allowed":true}
{"level":"debug","ts":"2022-07-15T09:28:30.002Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"f68c991f-863b-44ed-8a40-3eee83aea30f","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:28:30.002Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"f68c991f-863b-44ed-8a40-3eee83aea30f","allowed":true}
{"level":"debug","ts":"2022-07-15T09:29:11.387Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"ab16f126-e50d-453e-a4ed-43cb7487ea5f","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:29:11.387Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"ab16f126-e50d-453e-a4ed-43cb7487ea5f","allowed":true}
{"level":"debug","ts":"2022-07-15T09:29:30.434Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"aa9c3d4d-e22a-4a47-bea5-117f7e1ee16c","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:29:30.434Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"aa9c3d4d-e22a-4a47-bea5-117f7e1ee16c","allowed":true}
{"level":"debug","ts":"2022-07-15T09:30:11.754Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/nodes","UID":"9b51d855-a07a-4be2-a8a2-d5ce8f954158","kind":"/v1, Kind=Node","resource":{"group":"","version":"v1","resource":"nodes"}}
{"level":"debug","ts":"2022-07-15T09:30:11.754Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/nodes","code":200,"reason":"","UID":"9b51d855-a07a-4be2-a8a2-d5ce8f954158","allowed":true}

Additional context

Capsule version: (capsule --version): 0.1.1
Helm Chart version: (helm list -n capsule-system): 0.1.8

Kubernetes version: (kubectl version)

Client Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.4-dirty", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"dirty", BuildDate:"2021-03-15T09:51:17Z", GoVersion:"go1.16.2", Compiler:"gc", Platform:"darwin/arm64"}
Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.11", GitCommit:"6b66c9a34569cd5a6e330eda21d1d8bd792e164e", GitTreeState:"clean", BuildDate:"2022-06-21T17:14:21Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

maxgio92 commented 2 years ago

Hi @iamNoah1, thanks for reporting this. We're going to try to reproduce the issue. Keep you posted :-)

maxgio92 commented 2 years ago

Hey @iamNoah1 in order to do this:

Log in as a user of the tenant

which commands you run?

I followed these steps:

# Crate the AKS cluster 
az group create capsule-603
az aks create --resource-group capsule-603 --name capsule-603
kubectl version --short                                                                                                                                                                                
...
Server Version: v1.22.11

# Capsule insallation
helm upgrade --install capsule clastix/capsule
CAPSULE_REPO=$(mktemp -d)
git clone https://github.com/clastix/capsule $CAPSULE_REPO
cd $CAPSULE_REPO

# Create the Tenant owner User and certificates and kubeconfig
./hack/create-user.sh noah jesters
...
kubectl apply -f https://github.com/iamNoah1/capsule-demo/raw/master/manifest.yaml # the jesters Tenant

# List Namespaces
KUBECONFIG=noah-jesters.kubeconfig kubectl get ns                                                                                                                                                  
Error from server (Forbidden): namespaces is forbidden: User "noah" cannot list resource "namespaces" in API group "" at the cluster scope

# Create Namespaces
KUBECONFIG=noah-jesters.kubeconfig kubectl create ns noah-ns                                                                                                                                         
namespace/noah-ns created

but as you see I wasn't able to reproduce the issue.

Also, which version of Capsule you installed?

Thanks

iamNoah1 commented 2 years ago

hm, crazy :/ ... how to see the version of capsule?

helm list -n capsule-system says

NAME    NAMESPACE       REVISION    UPDATED                                 STATUS      CHART           APP VERSION
capsule capsule-system  1           2022-07-11 17:56:22.353522 +0200 CEST   deployed    capsule-0.1.8   0.1.1

maxgio92 commented 2 years ago

@iamNoah1 please run:

kubectl -n capsule-system get pods -l app.kubernetes.io/instance=capsule -o=jsonpath='{.items[].spec.containers[].image}'

You should see something like:

quay.io/clastix/capsule:v0.1.1

iamNoah1 commented 2 years ago

@maxgio92 output is the same as yours: quay.io/clastix/capsule:v0.1.1

maxgio92 commented 2 years ago

Thanks @iamNoah1. Could you write down each single step/command you do in order to reproduce the issue? So that we can compare them :-)

iamNoah1 commented 2 years ago

terraform apply --var resource_group="multitenancy" --var aks_name="multitenant-aks" using https://github.com/iamNoah1/terraform-aks
echo "$(terraform output -raw kube_config)" > ./azurek8s
export KUBECONFIG=pwd/azurek8s
helm repo add clastix https://clastix.github.io/charts
helm install capsule clastix/capsule -n capsule-system --create-namespace
change dir to capsule-demo (https://github.com/iamNoah1/capsule-demo)
kubectl apply -f manifest.yaml
./create-user.sh noah jesters
export KUBECONFIG=noah-jesters.kubeconfig
kubectl get namespaces

bsctl commented 2 years ago

@iamNoah1 could you please tell us what's your expected outcome after the latest command?

kubectl get namespaces

what you're expecting here?

Since the user noah is tenant owner of the jesters tenant, he cannot get namespaces at cluster level as @maxgio92 explained in his example:

# List Namespaces
KUBECONFIG=noah-jesters.kubeconfig kubectl get ns                                                                                                                                                  
Error from server (Forbidden): namespaces is forbidden: User "noah" cannot list resource "namespaces" in API group "" at the cluster scope

Capsule is designed to restrict namespaces access to tenant owners, so the tenant owner can only create namespaces in his tenant:

KUBECONFIG=noah-jesters.kubeconfig kubectl create namespace development
KUBECONFIG=noah-jesters.kubeconfig kubectl create namespace production

KUBECONFIG=noah-jesters.kubeconfig kubectl get ns                                                                                                                                                  
Error from server (Forbidden): namespaces is forbidden: User "noah" cannot list resource "namespaces" in API group "" at the cluster scope

If you want user noah getting his own namespaces only, then you can use the capsule-proxy that is basically a reverse proxy in front of the kubernetes APIs server dealing with tenant owner permissions:

after configuring the capsule-proxy

KUBECONFIG=noah-jesters.kubeconfig kubectl get ns 
NAME          STATUS   AGE
production   Active   36m
development   Active   36m

Hope this helps

iamNoah1 commented 2 years ago

My expected outcome is that I cannot see any namespaces, but I can see every namespace

bsctl commented 2 years ago

... but I can see every namespace

Likely you're acting as cluster admin, check the noah-jesters.kubeconfig file and the kubectl context

iamNoah1 commented 2 years ago

yeah, something is messed up. Strange thing is, that everything works fine using an existing cluster. Anyhow, I assume that everything works fine with capsule and it is just an issue on my side. Thought, it could have something to do with the k8s version.

maxgio92 commented 2 years ago

I think @iamNoah1 as @bsctl you likely used a wrong context of the kubeconfig, using a cluster admin instead of the tenant owner.

Anyway, if you experience this issue again do not hesitate to let us know :-)

projectcapsule / capsule

Isolation does not work on K8s 1.22.11 (on Azure AKS) #603

Bug description

How to reproduce

Expected behavior

Logs

Additional context