Skip to content

fix: properly work if listing ns is denied (#717) #725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 19, 2024
Merged

fix: properly work if listing ns is denied (#717) #725

merged 1 commit into from
Mar 19, 2024

Conversation

adietish
Copy link
Collaborator

@adietish adietish commented Mar 15, 2024
edited
Loading

fixes #717

Steps:

  1. ASSERT: use minikube cluster
  2. ASSERT: have a file deployment.yml with the following content
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sise-deploy
  labels:
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sise
  template:
    metadata:
      labels:
        app: sise
    spec:
      containers:
      - name: sise
        image: quay.io/openshiftlabs/simpleservice:0.5.0
        ports:
        - containerPort: 9876
        env:
        - name: SIMPLE_SERVICE_VERSION
          value: "0.9"
  1. EXEC: kubectl apply -f deployment.yml
  2. ASSERT: a pod sise-deploy-XXXX was created (kubectl get pod)
  3. EXEC: apply the following RBAC rules on minikube
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: can-read-pods
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: user1
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: can-read-pods
  apiGroup: rbac.authorization.k8s.io
  1. EXEC: create a new user & context in kube config
openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=group1"
openssl x509 -req -in user1.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out user1.crt -days 500
kubectl config set-credentials user1 --client-certificate=user1.crt --client-key=user1.key
kubectl config set-context user1-context --cluster=minikube --user=user1
  1. EXEC: kubectl config use-context user1-context
  2. EXEC: launch plugin
  3. ASSERT: no current namespace is set ([user1-context] > Namespaces > current: <none>)
  4. ASSERT: listing namespaces is forbidden ([user1-context] > Namespaces > child-node: Forbidden!)
  5. ASSERT: no pods are listed ([user1-context] > Workloads > Pods: children are empty)
  6. EXEC: use Set Current Namespace in context menu to Namespaces, provide default in the upcoming dialog and confirm with the Set button

Result:
current namespace is now default ([user1-context] > Namespaces > current: default), Pod "sise-deploy-XXXX" is listed ([user1-context] > Workloads > Pods > sise-deploy-XXXX)

Screen.Recording.2024-03-18.at.11.32.31.mov

@adietish adietish self-assigned this Mar 15, 2024
@adietish adietish force-pushed the issue-717 branch 2 times, most recently from b3f47f1 to b864d7b Compare March 18, 2024 11:12
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@adietish adietish requested a review from datho7561 March 19, 2024 09:23
@adietish adietish marked this pull request as ready for review March 19, 2024 09:23
@adietish
Copy link
Collaborator Author

@datho7561 this is to allow intellij-kubernetes to work properly if you have no current namespace in your config and your cluster wont allow you to list all namespaces. Sorry for the tedious setup required to replicate this. Thanks for testing it :)

datho7561
datho7561 approved these changes Mar 19, 2024
View reviewed changes
Copy link
Contributor

@datho7561 datho7561 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works great for me!

@adietish
Copy link
Collaborator Author

@datho7561 thanks a lot for testing it :)

@adietish adietish merged commit e241c49 into redhat-developer:main Mar 19, 2024
18 checks passed
@adietish adietish deleted the issue-717 branch March 19, 2024 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datho7561 datho7561 datho7561 approved these changes

Assignees

@adietish adietish

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

possibility to set namespaces manually when the autodiscover featre is disabled by the organization
2 participants
@adietish @datho7561