Custom resource name completion doesn't work for non-cluster-admins
morozov opened this issue · comments
As a non-cluster-admin, I have to disable custom resource name completion via set FISH_KUBECTL_COMPLETION_COMPLETE_CRDS 0
. Otherwise, completion doesn't work due to the internal:
Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io is forbidden: User "user@example.com" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
As far as I understand the API, granting mere humans access to CRDs requires and additional cluster role like:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: readcrds
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
On the other hand, as a non-cluster-admin, I have access to kubectl api-resources
whose output contains the out-of-the-box and custom resources:
$ kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
configmaps cm true ConfigMap
...
customresourcedefinitions crd,crds apiextensions.k8s.io false CustomResourceDefinition
...
kafkabridges kb kafka.strimzi.io true KafkaBridge
kafkaconnectors kctr kafka.strimzi.io true KafkaConnector
kafkaconnects kc kafka.strimzi.io true KafkaConnect
kafkaconnects2is kcs2i kafka.strimzi.io true KafkaConnectS2I
kafkamirrormaker2s kmm2 kafka.strimzi.io true KafkaMirrorMaker2
kafkamirrormakers kmm kafka.strimzi.io true KafkaMirrorMaker
kafkas k kafka.strimzi.io true Kafka
kafkatopics kt kafka.strimzi.io true KafkaTopic
kafkausers ku kafka.strimzi.io true KafkaUser
Would it make sense to reimplement __fish_kubectl_actually_get_crds
via kubectl api-resources
instead of kubectl get crd
?
@morozov that could work. Want to try to put together a PR to utilize api-resources?
It turns out that kubectl api-resources
is much (10+ times) slower than kubectl get crd
since it does one API call per resource (46 in total in my case) instead of just one. I ended up hard-coding the missing types in the completion script for now. Not sure what else alternatives there are.
@morozov maybe we could add an env var that allows one to specify a comma separated list of crds to include?
I'm no longer affected by this issue since I now have the permissions to run kubectl get crd
. I was implemented as documented in the description.
If I were to implement a fix for this issue, an environment variable would be the best approach. But it looks like nobody else is affected by this issue.