iter8: `iter8ctl describe` does not work if caller does not have cluster wide permission
Describe the bug
iter8ctl describe
should retrieve details of the latest experiment. However, it relies on cluster wide access so if a user has restricted access, the command fails.
To Reproduce Observed in CIL environment where one is logged in as user.
$ iter8ctl describe
Error: experiments.iter8.tools is forbidden: User "IAM#cil1" cannot list resource "experiments" in API group "iter8.tools" at the cluster scope
Even restricted to a valid namespace, this fails:
$ iter8ctl describe -n staging-kalantar---us-ibm-com
Error: experiments.iter8.tools is forbidden: User "IAM#cil1" cannot list resource "experiments" in API group "iter8.tools" at the cluster scope
Even specifying the experiment is insufficient:
$ iter8ctl describe hello-experiment -n staging-kalantar---us-ibm-com
Error: experiments.iter8.tools is forbidden: User "IAM#cil1" cannot list resource "experiments" in API group "iter8.tools" at the cluster scope
Expected behavior
Should work even when role/rolebinding restricts access to single namespace. Suggest always look only in specified (-n
option) or default namespace.
Kubernetes environment (please provide the following information): Observed in CIL environment. Not sure how to reproduce in local clluster.
Additional context Add any other context about the problem here.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (15 by maintainers)
I am inclined to suggest we also allow a
--kubeconfig
option on iter8ctl; this is very common for kubernetes utilities… I’ll create separate issue for this.