Cannot run with viewer role

Question

Cannot run with viewer role

tjun opened this issue 4 years ago · comments

In querying APIs, failed to list secret and cannot show the result.

When I try to run kubectl tree with viewer role, got the following error:

Error: error while querying api objects: listing resources failed (/v1, Resource=secrets): 
secrets is forbidden: User "user@example.com" cannot list resource "secrets" in API group "" at the cluster scope: Required "container.secrets.list" permission.

Daniel Mangum · Answer 1 · Sat Jan 04 2020 00:51:51 GMT+0800 (China Standard Time)

Hi @tjun! I believe this could be solved by just updating your role to have list permissions on Secret objects. Do you have permissions in you cluster to modify RBAC?

Ahmet Alp Balkan · Answer 2 · Sat Jan 04 2020 00:58:30 GMT+0800 (China Standard Time)

I think we’re talking about GKE Viewer role here. Have you tried “viewer” role in Kubernetes rbac?

I suspect GKE Viewer doesn’t let the subject to view Secrets in a cluster, for a good reason.

Junichiro Takagi · Answer 3 · Sat Jan 04 2020 17:48:00 GMT+0800 (China Standard Time)

Thanks!

Have you tried “viewer” role in Kubernetes rbac?

Yes, I already have a viewer role in Kubernetes rbac for the target namespace. Doesn't have cluster level viewer role.
I think kubectl-tree try to fetch Secrets on other namespace(default)?

Ahmet Alp Balkan · Answer 4 · Mon Jan 06 2020 05:24:08 GMT+0800 (China Standard Time)

Kubectl tree tries to retrieve every single API resource in your cluster.

In the future we might introduce an --ignore-inaccessible option (and log those failures as warnings), but for now we flat out fail.