Add support for users with namespace-scoped RBAC permissions

[mark-dessain-maersk]

For context, we have a company wide cluster whereby I am part of an application team with access to a single namespace. I have no permissions over any cluster wide settings or "all namespaces".

My service account only has access to list all name spaces and to run commands on my own namespace (in this case it is called "orbit").

Such that the following kubectl commands work as shown:

➜ kubectl get namespaces
NAME                        STATUS   AGE
...                         Active   627d
orbit                       Active   2y310d
abc                         Active   635d
...                         Active   635d

➜ kubectl get pods --all-namespaces
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:serviceaccounts:orbit-ci-sa" cannot list resource "pods" in API group "" at the cluster scope

➜ kubectl get pods --namespace abc
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:serviceaccounts:orbit-ci-sa" cannot list resource "pods" in API group "" in the namespace "abc"

➜ kubectl get pods --namespace orbit
NAME                                   READY   STATUS      RESTARTS      AGE
community-6d7695f448-vpm8d             1/1     Running     0             51d
...

The kukubetail logs --follow 'deployments/*' works perfectly fine but when I try and use the dashboard kubetail serve it fails to show anything.

The dashboard lists the sidebar counts but all other graphql calls fail.

---

Looking at the network request I can see that the requests for the sidebar which work include the namespace, where as the requests for the actual middle data do not include the namespace.

I assume this combined with my namespace only permissions causes it to fail.

The counters show due to this api call passing in the namespace - https://github.com/kubetail-org/kubetail/blob/main/dashboard-ui/src/pages/home.tsx#L811

However this api calls only pass in the context - https://github.com/kubetail-org/kubetail/blob/main/dashboard-ui/src/pages/home.tsx#L625C20-L631

---

I would dig deeper but my knowledge of typescript is limited.

I hope these details will be useful in helping you track down the underlying issue. I would love to give kubetail a try once this is resolved.

Happy to provide any further assistance if you need any extra input.

[amorey]

Thanks for the bug report! Currently the desktop app assumes you have access to all the namespaces but it should be fairly straightforward to modify it so it checks permissions first. I'll bump this to the top of our priority list.

In the mean time, you could install Kubetail into your namespace and run it in cluster-mode. I think this should work:

helm repo add kubetail https://kubetail-org.github.io/helm-charts/
helm repo update
helm install kubetail kubetail/kubetail \
  --namespace <NAMESPACE> \
  --set kubetail.allowedNamespaces={<NAMESPACE>} \
  --set kubetail.clusterAPI.enabled=false \
  --set kubetail.clusterAgent.enabled=false \
  --set kubetail.cli.enabled=false

Once it's installed you can access it with kubectl proxy or kubectl port-forward:

kubectl port-forward -n <NAMESPACE> svc/kubetail-dashboard 8080:8080