cloud-code-intellij icon indicating copy to clipboard operation
cloud-code-intellij copied to clipboard
verified publisher icon GoogleCloudPlatform

Unable to use Kubernetes Explorer without permission to read namespaces

Open horodchukanton opened this issue 3 years ago • 9 comments

Expected Behavior

According to https://github.com/GoogleCloudPlatform/cloud-code-intellij/issues/2697, the context's namespace should be used by default and I should see a list of deployments(/pods/replicasets?)

Actual Behavior

Plugin fails to build a list of available namespaces, because I don't have a permission to list the namespaces. Знімок екрана 2022-04-13 о 13 40 43

Additional Information

  • IDE type: IntelliJ (e.g. IntelliJ, Pycharm):
  • IDE version: IntelliJ IDEA 2022.1 (Ultimate Edition) Build #IU-221.5080.210
  • Cloud Code version: 22.3.1-213
  • Cloud SDK:
    • Are you allowing the plugin to manage the Cloud SDK: yes
    • Version of the Cloud SDK: 381.0.0
  • Skaffold version: v1.36.1
  • Operating System: MacOS Monterey 12.3 (Intel)

Context definition in .kube/config

  contexts:
  - context:
      cluster: te[hidden].com
      namespace: shipping
      user: oidc
    name: te[hidden].com
  current-context: te[hidden].com

horodchukanton avatar Apr 13 '22 10:04 horodchukanton

Would be happy to share more information if necessary

horodchukanton avatar Apr 13 '22 10:04 horodchukanton

Hello. Just to confirm, when you run kubectl get namespaces you also get permission errors right? I think this is a limitation currently in our plugin that has come up before, and we will explore options to resolve this. cc @ivanporty in case I missed something.

etanshaul avatar Apr 13 '22 14:04 etanshaul

@etanshaul Yes, I receive the same error on CLI

[hidden]@MacBook-Pro ~ % kubectl get namespaces
Error from server (Forbidden): namespaces is forbidden: User "[hidden]" cannot list resource "namespaces" in API group "" at the cluster scope

And as in the mentioned issue (https://github.com/GoogleCloudPlatform/cloud-code-intellij/issues/2697), I can retrieve the namespace configured in the .kube/config

[hidden]@MacBook-Pro ~ % kubectl config view -o jsonpath='{.contexts[0].context.namespace}'
shipping

horodchukanton avatar Apr 13 '22 14:04 horodchukanton

Sounds good. thanks. I am going to leave this issue open to track progress here. We'll circle back with questions / updates.

etanshaul avatar Apr 13 '22 14:04 etanshaul

Update: Same error on latest version (22.4.1-213)

horodchukanton avatar Apr 15 '22 09:04 horodchukanton

Thanks for the report @horodchukanton! This is a limitation of our cluster explorer at the moment - we assume we can read namespaces in the cluster to proceed. We might be coming with the current context view only too sometime in the future - this should work for you - you can see your current context (and its namespace) resources, as long as you don't access other namespaces, right?

ivanporty avatar Apr 21 '22 15:04 ivanporty

@ivanporty Thanks for the response ) Yep, it will work for me

I understand that {.contexts[0].context.namespace} will work with a single namespace per context and if I will have permissions for two of them, I'll have to use separate contexts for each (if that's possible). But, I'm not familiar enough with Kubernetes to suggest a better solution.

horodchukanton avatar Apr 21 '22 15:04 horodchukanton

UPD. This is how Kubernetes plugin deals with the problem image

horodchukanton avatar May 01 '22 10:05 horodchukanton

Thank you @horodchukanton, this is a good suggestion. We are planning to work on it some time soon to allow your use case in our Kubernetes Explorer, and post updates here in this issue.

ivanporty avatar May 02 '22 17:05 ivanporty