Cannot run with viewer role
tjun opened this issue · 4 comments
In querying APIs, failed to list secret
and cannot show the result.
When I try to run kubectl tree with viewer role, got the following error:
Error: error while querying api objects: listing resources failed (/v1, Resource=secrets):
secrets is forbidden: User "user@example.com" cannot list resource "secrets" in API group "" at the cluster scope: Required "container.secrets.list" permission.
Hi @tjun! I believe this could be solved by just updating your role to have list permissions on Secret
objects. Do you have permissions in you cluster to modify RBAC?
I think we’re talking about GKE Viewer role here. Have you tried “viewer” role in Kubernetes rbac?
I suspect GKE Viewer doesn’t let the subject to view Secrets in a cluster, for a good reason.
Thanks!
Have you tried “viewer” role in Kubernetes rbac?
Yes, I already have a viewer role in Kubernetes rbac for the target namespace. Doesn't have cluster level viewer role.
I think kubectl-tree try to fetch Secrets on other namespace(default)?
Kubectl tree tries to retrieve every single API resource in your cluster.
In the future we might introduce an --ignore-inaccessible option (and log those failures as warnings), but for now we flat out fail.