Use namespace scoped informers when namespaces-list is provided.

Question

Use namespace scoped informers when namespaces-list is provided.

wwitzel3 opened this issue 3 years ago · 1 comments

When an explicit namespaces-list is provided to Octant, create namespace scoped informers instead of cluster scoped informers.

fixes #2687

Answer 1 · 2021-09-21T19:07:09.000Z

To help facilitate reviews, here is yaml to create a service account scoped to reading pods only.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-user
  namespace: default

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-user-view
  namespace: default 
subjects:
- kind: ServiceAccount
  name: test-user
  namespace: default 
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: $CA_DATA
    server: https://127.0.0.1:39567
  name: kind-kind

contexts:
- context:
    cluster: kind-kind
    namespace: default
    user: test-user
  name: kind-kind

current-context: kind-kind
kind: Config
preferences: {}


users:
- name: test-user
  user:
    token: $TOKEN
    client-key-data: $CA_DATA

where $TOKEN and $CA_DATA can be found under the secret test-user-token-____

Minimum expectations are having pods to be visible. The navigation panel should also hide extraneous elements