Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Kubectl cnpg status forbidden for non cluster-admins #4522

Closed
4 tasks done
HaveFun83 opened this issue May 13, 2024 · 2 comments · Fixed by #4530
Closed
4 tasks done

[Bug]: Kubectl cnpg status forbidden for non cluster-admins #4522

HaveFun83 opened this issue May 13, 2024 · 2 comments · Fixed by #4530
Assignees
@gbartolini
Labels
triage Pending triage

Comments

@HaveFun83
Copy link
Contributor

Is there an existing issue already for this bug?

  • I have searched for an existing issue, and could not find anything. I believe this is a new bug.

I have read the troubleshooting guide

  • I have read the troubleshooting guide and I think this is a new bug.

I am running a supported version of CloudNativePG

  • I have read the troubleshooting guide and I think this is a new bug.

Contact Details

No response

Version

older in 1.22.x

What version of Kubernetes are you using?

1.28

What is your Kubernetes environment?

Other

How did you install the operator?

Helm

What happened?

Kubectl pulgin version: v1.23.1

When using "kubectl cnpg status" as namespaced admin the following error occured

kubectl cnpg status -n db-test db-test  --as-group namespace-admin --as foobar
Error: while extracting PodDisruptionBudgetList: poddisruptionbudgets.policy is forbidden: User "foobar" cannot list resource "poddisruptionbudgets" in API group "policy" at the cluster scope

and no status is printed
Maybe a regression of #4319

Cluster resource

No response

Relevant log output

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@HaveFun83 HaveFun83 added the triage Pending triage label May 13, 2024
@HaveFun83
Copy link
Contributor Author

Discussed in slack https://cloudnativepg.slack.com/archives/C03AX0J5P29/p1715100923959049

@smartbit
Copy link

In my environment above issue does not occur with plugin 1.22.1 nor 1.22.2 and it does happen with plugin 1.22.3 and 1.23.1. Seems that is was a change between 1.22.2 and 1.22.3, as @HaveFun83 suggested these are the changes in status.go between those releases.

@HaveFun83 HaveFun83 mentioned this issue May 14, 2024
Merged
leonardoce added a commit that referenced this issue May 15, 2024
@HaveFun83 @leonardoce
fix: kubectl cnpg status PDB list (#4530)
7420aed 
In the kubectl plugin, when getting the list of PodDisruptionBudgets,
the code wasn't restricting the selection to the namespace where
the target Cluster resource has been created.

This patch fixes that, with the added benefit of restricting the set
of privileges needed by the user.

Fixes #4522

Signed-off-by: HaveFun83 <38665716+HaveFun83@users.noreply.github.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
cnpg-bot pushed a commit that referenced this issue May 15, 2024
@HaveFun83
fix: kubectl cnpg status PDB list (#4530)
49b33f6 
In the kubectl plugin, when getting the list of PodDisruptionBudgets,
the code wasn't restricting the selection to the namespace where
the target Cluster resource has been created.

This patch fixes that, with the added benefit of restricting the set
of privileges needed by the user.

Fixes #4522

Signed-off-by: HaveFun83 <38665716+HaveFun83@users.noreply.github.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
(cherry picked from commit 7420aed)
cnpg-bot pushed a commit that referenced this issue May 15, 2024
@HaveFun83
fix: kubectl cnpg status PDB list (#4530)
8cb7fb0 
In the kubectl plugin, when getting the list of PodDisruptionBudgets,
the code wasn't restricting the selection to the namespace where
the target Cluster resource has been created.

This patch fixes that, with the added benefit of restricting the set
of privileges needed by the user.

Fixes #4522

Signed-off-by: HaveFun83 <38665716+HaveFun83@users.noreply.github.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
(cherry picked from commit 7420aed)
cnpg-bot pushed a commit that referenced this issue May 15, 2024
@HaveFun83
fix: kubectl cnpg status PDB list (#4530)
1b899cf 
In the kubectl plugin, when getting the list of PodDisruptionBudgets,
the code wasn't restricting the selection to the namespace where
the target Cluster resource has been created.

This patch fixes that, with the added benefit of restricting the set
of privileges needed by the user.

Fixes #4522

Signed-off-by: HaveFun83 <38665716+HaveFun83@users.noreply.github.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
(cherry picked from commit 7420aed)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gbartolini gbartolini

Labels
triage Pending triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[plugin] use namespace to get the PodDisruptionBudgetList HaveFun83/cloudnative-pg
3 participants
@gbartolini @smartbit @HaveFun83