error when used with restricted access rights about kail HOT 8 CLOSED

Looks like in later versions situation become even worse. I want my teams to be able to read logs this way:

kail -n personal-namespace -l 'app=proxy'

I already gave cluster scope permission to read namespaces, but, I think, since last version of kail it also want to read pods at cluster scope and the command above doesn't work anymore. It produces error like:

$ kail -n personal-namespace -l 'app=proxy'
ERRO[0000] client list: pods is forbidden: User "system:serviceaccount:default:superhero" cannot list resource "pods" in API group "" at the cluster scope  cmp=lister

Even tho user have permissions to read namespaces and to read pods in specified namespace.

I was able to reproduce the same error using command

kubectl get pod --all-namespaces

I think in latest versions kail was switched to this behaviour and it broke our usual workflow. Now I have to give people clusterscope permission to read all pods in my cluster and that is not something what I to do by any chance.

from kail.

Yeah it does not push down all of the constraints (you might add another --ns flag, for instance). Also, you can select for things which haven't been created yet - it needs to be able to listen for new resources.

That said, namespace might be a special case - it probably isn't necessary to list/watch namespaces since the ns name is in all of the objects. If this ends up being a big problem I can address it.

Try using this to prevent the namespace list:

./kail --context=dev  --svc=ns1/projector

from kail.

@slawo let me know if the workaround solves the issue. Thanks for the report!

from kail.

This is an issue for me as well:

❱ kail --pod=mah-pod --ns=my-namespace
ERRO[0000] client list: pods is forbidden: User "..." cannot list pods at the cluster scope  cmp=lister
ERRO[0000] lister error: client list: pods is forbidden: User "..." cannot list pods at the cluster scope  cmp=controller
kail: error: Unable to initialize data source

from kail.

Hey @wsargent. Long time no see! Hope you're doing well.

Did you try the workaround I posted?

kail --pod=my-namespace/mah-pod

from kail.

Oh hi Adam!

Same deal with namespace/mah-pod -- "cannot list pods at the cluster scope cmp=lister" and the same error with "cmp=controller"

from kail.

Thanks @wsargent! I'll take a look at this when I can.

from kail.

Same problem here when using Kail on an Openshift cluster :
kail: error: Can't connnect to kubernetes: namespaces is forbidden: User "stduser" cannot list namespaces at the cluster scope: User "stduser" cannot list all namespaces in the cluster

from kail.