K9s: Document the RBAC permissions needed to run K9s

Created on 13 Mar 2019  路  3Comments  路  Source: derailed/k9s

The Problem

Recently, we have begun work to ensure engineers only have the RBAC permissions they need to work with. We created the following powers, essentially letting them do what they like within their own Namespace:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: my-namespace
  name: developer
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["*"]

When we tried to run K9s, we found that it would error out with the following:

panic: namespaces is forbidden: User "developer" cannot list namespaces at the cluster scope

goroutine 1 [running]:
github.com/derailed/k9s/views.mustK8s()
    /Users/fernand/go_wk/derailed/src/github.com/derailed/k9s/views/app.go:137 +0xcf
github.com/derailed/k9s/views.(*appView).Init(0xc0004a8090, 0x2291b04, 0x5, 0x2, 0xc00047ce70)
    /Users/fernand/go_wk/derailed/src/github.com/derailed/k9s/views/app.go:75 +0xb0
github.com/derailed/k9s/cmd.run(0x2e29da0, 0xc000078480, 0x0, 0x6)
    /Users/fernand/go_wk/derailed/src/github.com/derailed/k9s/cmd/root.go:114 +0x149
github.com/spf13/cobra.(*Command).execute(0x2e29da0, 0xc0000b4010, 0x6, 0x6, 0x2e29da0, 0xc0000b4010)
    /Users/fernand/go_wk/derailed/pkg/mod/github.com/spf13/[email protected]/command.go:766 +0x2cc
github.com/spf13/cobra.(*Command).ExecuteC(0x2e29da0, 0xc00000c0a0, 0xc000411f78, 0xc000411f88)
    /Users/fernand/go_wk/derailed/pkg/mod/github.com/spf13/[email protected]/command.go:852 +0x2fd
github.com/spf13/cobra.(*Command).Execute(0x2e29da0, 0x1a4, 0xc00000c0a0)
    /Users/fernand/go_wk/derailed/pkg/mod/github.com/spf13/[email protected]/command.go:800 +0x2b
github.com/derailed/k9s/cmd.Execute()
    /Users/fernand/go_wk/derailed/src/github.com/derailed/k9s/cmd/root.go:95 +0x2d
main.main()
    /Users/fernand/go_wk/derailed/src/github.com/derailed/k9s/main.go:21 +0x20

This resulted in us needing to add the following ClusterRole:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: developer-cluster-role
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]

At which point, K9s began to work.

Proposed Solution

It is already mentioned in the docs that if you don't have "enough RBAC fu" then K9s will not work. We should expand that section to include the permissions necessary for K9s to start up without an error. Beyond that, it's obviously a little complex since the functionality you can access will depend on your RBAC permissions.

bug
Source
picture ChrisCooney

All 3 comments

@ChrisCooney Thank you for reporting this! Great point!! I will document these expectations. I think there is much to explore here in terms of RBAC rule on the cluster. Alternatively Chris you can start K9s in that namespace for which you have access using --namespace fred. I think it should work but I do need to do more work here to limit switching ns once that is set. So please stay tune....

derailed picture derailed on 13 Mar 2019
👍1

If you can point me in the right direction, I'd be happy to contribute too @derailed. Open source and all that! :)

ChrisCooney picture ChrisCooney on 14 Mar 2019

Thanks @ChrisCooney! Please see new README. Hopefully this helps and if not you can submit a PR and I will review it. Tx!!

derailed picture derailed on 16 Mar 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pgoodjohn picture pgoodjohn  路  4Comments
brunohms picture brunohms  路  4Comments
ctritten picture ctritten  路  3Comments
dalgibbard picture dalgibbard  路  3Comments
vasicvuk picture vasicvuk  路  3Comments