Ksync init is failing due to connection problem

[alok87]

We have a shared kubernetes cluster for all the developers. We are trying out ksync with every developer having a namespace wise access to kubernetes cluster. Every developers laptop is configured with kubectl having access to only the namespace the developer is working on.

On doing ksync init with the developer laptop it fails with the below connection error.
But if I use default admin user (the one with user and password) , ksync init gets past "Cluster Connection"

I even tried giving the dev-user the complete admin role, ksync init still fails with the same error. Even when kubectl works !

I also tried passing --context=k8sl.XXX.com same error.

$ ksync init --context=k8sl.XXX.com
==== Preflight checks ====
Cluster Config                              ✓
Cluster Connection                          ✘
↳	Unable to contact the cluster for context (k8sl.XXX.com). Does 'kubectl --context=k8sl.practodev.com cluster-info' work?
FATA[0000] Fix errors and try again.

Dev user in kube config looks like below (which is not working)

users:
- name: alok.singh@practo.com
  user:
    auth-provider:
      config:
        client-id: XXX
        client-secret: XXX
        id-token: XXX
        refresh-token: 

Default admin user in kubeconfig which works

users:
- name: k8sl.XXX.com-basic-auth
  user:
    password: XXXX
    username: admin

• What exactly is run to check the connection?
• What is the access required by the kubernetes user for ksync to work locally from a developer laptop?

[alok87]

To find the exact error added the print here - https://github.com/vapor-ware/ksync/blob/762a8185daed28c13ada85a359b21cc662c608e8/pkg/ksync/doctor/kubernetes.go#L78

⣯ err= forbidden: User "alok87@XX.com" cannot get path "/"

1. What is the role user needs to have to access GET "/" ?
   Answer: https://stackoverflow.com/questions/56293202/rbac-roles-required-to-solve-cannot-get-path-for-a-user/56294025#56294025 Only a cluster admin can access "/" 😢

2. Should not we make the changes so that cluster connection can be tested without having to have the access of GET at path "/". As kubernetes is supposed to be shared by namespace as a convention?

3. Should i give a PR to not hide the errors. As a connection can fail because of many reasons and it is good to have the message displayed right on the users face of why it failed.

[timfallmk]

Ping @grampelberg on this too

[dindurthy]

We have a similar situation where the cluster is shared and engineers don't all have cluster admin. We got around this by having our CI system, which has cluster admin access, run the ksync init --local=false, and our engineers run ksync init --remote=false. The cli options are a bit non intuitive, in that ksync init --local=true will fail for engineers since it is implicitly running with --remote=true. Splitting those up into multiple commands might be nice.