Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prune with namespace requires access to api group "" #1689

Open
yoshivda opened this issue Sep 23, 2024 · 8 comments
Open

Prune with namespace requires access to api group "" #1689

yoshivda opened this issue Sep 23, 2024 · 8 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/cli Categorizes an issue or PR as relevant to SIG CLI.

Comments

@yoshivda
Copy link

What happened?

Our azure pipeline applies configurations to kubernetes with the Kubernetes@1 task using the apply command. This works fine, until I add prune -l tier=frontend as arguments. I see 2 error lines:

  1. Deprecated: kubectl apply will no longer prune non-namespaced resources by default when used with the --namespace flag in a future release. To preserve the current behaviour, list the resources you want to target explicitly in the --prune-allowlist flag.
  2. error pruning nonNamespaced object /v1, Kind=Namespace: namespaces is forbidden: User "" cannot list resource "namespaces" in API group "" at the cluster scope: User does not have access to the resource in Azure. Update role assignment to allow access.

The first one is picked up as an error by Azure, but should only be a warning. The second one is where I'm at a loss: why do I need access to this?

What did you expect to happen?

Given an explicit namespace, prune only the resources with matching labels within that namespace, do not require access to anything outside of that

How can we reproduce it (as minimally and precisely as possible)?

task: Kubernetes@1
displayName: Deploy to kubernetes
inputs:
command: apply
arguments: --prune -l tier=frontend
namespace: test
(azure & kubernetes details...)

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.9", GitCommit:"d15213f69952c79b317e635abff6ff4ec81475f8", GitTreeState:"clean", BuildDate:"2023-12-19T13:41:13Z", GoVersion:"go1.20.12", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v5.0.1
Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.9", GitCommit:"1c9860e7360c3f8147ae068e867eaab73b4a6257", GitTreeState:"clean", BuildDate:"2024-04-12T23:21:51Z", GoVersion:"go1.20.12", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider

AKS

OS version

No response

Install tools

No response

Container runtime (CRI) and version (if applicable)

No response

Related plugins (CNI, CSI, ...) and versions (if applicable)

No response
@yoshivda yoshivda added the kind/bug Categorizes issue or PR as related to a bug. label Sep 23, 2024
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 23, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@aojea
Copy link
Member

aojea commented Sep 23, 2024

if you execute the command with verbosity , per example -v 7 you can see the trace of the requests sent by kubectl

@yoshivda
Copy link
Author

yoshivda commented Sep 23, 2024
edited
Loading

That gives the following output:

I0923 08:39:47.618470 2728331 round_trippers.go:463] GET [servername].io:443/api/v1/namespaces?labelSelector=tier%3Dfrontend
I0923 08:39:47.618479 2728331 round_trippers.go:469] Request Headers:
I0923 08:39:47.618487 2728331 round_trippers.go:473] User-Agent: kubectl/v1.31.0 (linux/amd64) kubernetes/9edcffc
I0923 08:39:47.618492 2728331 round_trippers.go:473] Accept: application/json
I0923 08:39:47.622001 2728331 round_trippers.go:574] Response Status: 403 Forbidden in 3 milliseconds

@yoshivda
Copy link
Author

Adding an explicit --prune-allowlist gets rid of the error, why does it try to access different resources without that? I have access to all resources within the namespace, so I would not expect a permission error when providing that namespace

@neolit123
Copy link
Member

/sig cli

@k8s-ci-robot k8s-ci-robot added sig/cli Categorizes an issue or PR as relevant to SIG CLI. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 24, 2024
@Aaina26
Copy link

Aaina26 commented Sep 28, 2024

What happened?

Our azure pipeline applies configurations to kubernetes with the Kubernetes@1 task using the apply command. This works fine, until I add prune -l tier=frontend as arguments. I see 2 error lines:

  1. Deprecated: kubectl apply will no longer prune non-namespaced resources by default when used with the --namespace flag in a future release. To preserve the current behaviour, list the resources you want to target explicitly in the --prune-allowlist flag.
  2. error pruning nonNamespaced object /v1, Kind=Namespace: namespaces is forbidden: User "" cannot list resource "namespaces" in API group "" at the cluster scope: User does not have access to the resource in Azure. Update role assignment to allow access.

The first one is picked up as an error by Azure, but should only be a warning. The second one is where I'm at a loss: why do I need access to this?

What did you expect to happen?

Given an explicit namespace, prune only the resources with matching labels within that namespace, do not require access to anything outside of that

How can we reproduce it (as minimally and precisely as possible)?

task: Kubernetes@1 displayName: Deploy to kubernetes inputs: command: apply arguments: --prune -l tier=frontend namespace: test (azure & kubernetes details...)

Anything else we need to know?

No response

Kubernetes version

Cloud provider

OS version

No response

Install tools

No response

Container runtime (CRI) and version (if applicable)

No response

Related plugins (CNI, CSI, ...) and versions (if applicable)

No response

The first error is actually a warning rather than an error. The command will get executed. The warning was added as part of this issue: kubernetes/kubernetes#110905. You can try using --prune-allowlist flag till this issue is resolved. You can refer to the following documentation for the same: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#alternative-kubectl-apply-f-directory-prune

@pacoxu
Copy link
Member

pacoxu commented Dec 25, 2024

/transfer kubectl

@k8s-ci-robot k8s-ci-robot transferred this issue from kubernetes/kubernetes Dec 25, 2024
@pacoxu
Copy link
Member

pacoxu commented Dec 25, 2024

Is there a namespace in the yaml?

This may be caused by the default prune-allowlist which includes the namespace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/cli Categorizes an issue or PR as relevant to SIG CLI.
Projects
SIG CLI
Status: Needs Triage
Milestone
No milestone
Development

No branches or pull requests
6 participants
@neolit123 @pacoxu @aojea @k8s-ci-robot @yoshivda @Aaina26