Can't access cluster: "User needs access to the namespaces resource" #23
Comments
|
Hi Daniel, A couple of questions: |
|
Hi guiqui,
Nope. And I understand this is not an issue with K8studio per-se. All other similar tools behave the same for me, e.g. k9s, OpenLens, etc. also don't allow me to access the cluster unless I assume the proper role before running those. I'd just love to see a better UI/UX for this use-case. For example when you detect this, why not pop up a dialog that asks the user "Seems like your current AWS user is not allowed to access this cluster. Would you like to assume a different IAM role to access this cluster?" and then have a list of available roles (if you somehow can get this from ~/.aws/credentials maybe) or have an input box that let's the user enter the role's name. Or maybe have a config option somewhere where I can add AWS roles and present those in a dropdown in the popup or something. Good idea or not, I'll let you decide.
$ aws sts get-caller-identity
{
"UserId": "Axxxx",
"Account": "1xxxx",
"Arn": "arn:aws:iam::1xxx:user/daniel"
}
$ kubectl auth can-i --list
Warning: the list may be incomplete: webhook authorizer does not support user rule resolution
Resources Non-Resource URLs Resource Names Verbs
selfsubjectreviews.authentication.k8s.io [] [] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]That being said, I work with 4 different clusters, 2 in AWS and 2 in GCP. The GCP ones can be accessed without issues.
The role policies are exactly the ones outline here:
I hope this helps. Thanks for looking into it. |
|
Often a role may have rights to a specific namespace, without access to the entire list. |
Hi,
Installed the latest alpha (0.2.2-alpha) and trying to access one of my clusters (EKS on AWS) and all I get is this popup:
Clicking on the "edit the accessible namespaces" button does nothing.
More information:
~/.aws/credentialsfile has no access to the clusteraws sts assume-role --role-arn ...before using helm, eksctl, kubectl, etc.Any ideas? I understand this is still very much alpha software, so bugs are to be expected, although this could also be an issue on my side.
Let me know if you need more information. Thanks.
The text was updated successfully, but these errors were encountered: