Custom resource name completion doesn't work for non-cluster-admins

Question

Custom resource name completion doesn't work for non-cluster-admins

morozov opened this issue 4 years ago · comments

As a non-cluster-admin, I have to disable custom resource name completion via set FISH_KUBECTL_COMPLETION_COMPLETE_CRDS 0. Otherwise, completion doesn't work due to the internal:

Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io is forbidden: User "user@example.com" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

As far as I understand the API, granting mere humans access to CRDs requires and additional cluster role like:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: readcrds
rules:
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list

On the other hand, as a non-cluster-admin, I have access to kubectl api-resources whose output contains the out-of-the-box and custom resources:

$ kubectl api-resources

NAME                              SHORTNAMES   APIGROUP                       NAMESPACED   KIND
configmaps                        cm                                          true         ConfigMap
...
customresourcedefinitions         crd,crds     apiextensions.k8s.io           false        CustomResourceDefinition
...
kafkabridges                      kb           kafka.strimzi.io               true         KafkaBridge
kafkaconnectors                   kctr         kafka.strimzi.io               true         KafkaConnector
kafkaconnects                     kc           kafka.strimzi.io               true         KafkaConnect
kafkaconnects2is                  kcs2i        kafka.strimzi.io               true         KafkaConnectS2I
kafkamirrormaker2s                kmm2         kafka.strimzi.io               true         KafkaMirrorMaker2
kafkamirrormakers                 kmm          kafka.strimzi.io               true         KafkaMirrorMaker
kafkas                            k            kafka.strimzi.io               true         Kafka
kafkatopics                       kt           kafka.strimzi.io               true         KafkaTopic
kafkausers                        ku           kafka.strimzi.io               true         KafkaUser

Would it make sense to reimplement __fish_kubectl_actually_get_crds via kubectl api-resources instead of kubectl get crd?

Evan Lucas · Answer 1 · Tue Oct 13 2020 22:32:39 GMT+0800 (China Standard Time)

@morozov that could work. Want to try to put together a PR to utilize api-resources?

Sergei Morozov · Answer 2 · Wed Oct 14 2020 02:55:41 GMT+0800 (China Standard Time)

It turns out that kubectl api-resources is much (10+ times) slower than kubectl get crd since it does one API call per resource (46 in total in my case) instead of just one. I ended up hard-coding the missing types in the completion script for now. Not sure what else alternatives there are.

Evan Lucas · Answer 3 · Thu Oct 21 2021 20:28:28 GMT+0800 (China Standard Time)

@morozov maybe we could add an env var that allows one to specify a comma separated list of crds to include?

Sergei Morozov · Answer 4 · Fri Oct 22 2021 00:36:22 GMT+0800 (China Standard Time)

I'm no longer affected by this issue since I now have the permissions to run kubectl get crd. I was implemented as documented in the description.

If I were to implement a fix for this issue, an environment variable would be the best approach. But it looks like nobody else is affected by this issue.