Open mhoshi-vm opened 3 years ago
Thank you for opening this issue, this has been one of those long standing whack-a-mole things we've worked on and we haven't got quite right yet.
Right now, Octant cannot infer the access level. It would have to perform SelfSubjectAccessReview checks before making requests. So we opt for making the request and letting if fail with a warning.
That said, the fact that the overview is not loading properly for you is a bug. Even if Octant fails to watch resources due to RBAC restrictions this should not prevent loading the reasons the service account does have access to.
I'm seeing this one too. Similar setup to the one described by OP.
I had a poke around the back end code to see if i could pin point where the issue was coming from (I couldn't). Then started to wonder if the WARNs about watchers were actually unrelated.
I noticed that from the front end we get the following from parseWebsocketMessage
and thought it could be worth investigating:
{error: "action path \"action.octant.dev/setNamespace\" not found", requestType: "action.octant.dev/setNamespace"}
Does this seem legit or am I crossing wires?
Describe the problem/challenge you have Related to #141 . Although the above issue has introduce to disable cluster overview page(
disable-cluster-overview
flag), the namespace overview request cluster scope access to several resources, not allowing to open correctly when using a strict kubeconfig file.Namely we see that it tries to access
secrets
,roles
,rolebindings
from cluster scope. Especially we never would want to allowsecrets
cluster scope.Describe the solution you'd like If
disable-cluster-overview
is enabled should never access cluster scope resourcesEnvironment:
octant version
): 0.21.0kubectl version
): v1.20.7