search

vmware-archive / octant

Highly extensible platform for developers to better understand the complexity of Kubernetes clusters.
https://octant.dev
Apache License 2.0
6.28k stars 485 forks source link

Disable cluster scope viewing on a namespace overview page #2687

Open mhoshi-vm opened 3 years ago

mhoshi-vm commented 3 years ago

Describe the problem/challenge you have Related to #141 . Although the above issue has introduce to disable cluster overview page(disable-cluster-overview flag), the namespace overview request cluster scope access to several resources, not allowing to open correctly when using a strict kubeconfig file.

Namely we see that it tries to access secrets, roles, rolebindings from cluster scope. Especially we never would want to allow secrets cluster scope.

2021-07-27T06:59:20.554Z    WARN    objectstore/dynamic_cache.go:446    unable to start watcher %!(EXTRA string=failed to list *unstructured.Unstructured: secrets is forbidden: User "system:serviceaccount:octant:octant-sa" cannot list resource "secrets" in API group "" at the cluster scope)
2021-07-27T06:59:20.847Z    WARN    objectstore/dynamic_cache.go:446    unable to start watcher %!(EXTRA string=failed to list *unstructured.Unstructured: roles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:octant:octant-sa" cannot list resource "roles" in API group "rbac.authorization.k8s.io" at the cluster scope)
2021-07-27T06:59:20.847Z    WARN    objectstore/dynamic_cache.go:446    unable to start watcher %!(EXTRA string=failed to list *unstructured.Unstructured: rolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:octant:octant-sa" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope)

Describe the solution you'd like If disable-cluster-overview is enabled should never access cluster scope resources

Environment:

wwitzel3 commented 3 years ago

Thank you for opening this issue, this has been one of those long standing whack-a-mole things we've worked on and we haven't got quite right yet.

Right now, Octant cannot infer the access level. It would have to perform SelfSubjectAccessReview checks before making requests. So we opt for making the request and letting if fail with a warning.

That said, the fact that the overview is not loading properly for you is a bug. Even if Octant fails to watch resources due to RBAC restrictions this should not prevent loading the reasons the service account does have access to.

chelnak commented 3 years ago

I'm seeing this one too. Similar setup to the one described by OP.

I had a poke around the back end code to see if i could pin point where the issue was coming from (I couldn't). Then started to wonder if the WARNs about watchers were actually unrelated.

I noticed that from the front end we get the following from parseWebsocketMessage and thought it could be worth investigating:

{error: "action path \"action.octant.dev/setNamespace\" not found", requestType: "action.octant.dev/setNamespace"}

Does this seem legit or am I crossing wires?