Allow to run on specific namespaces with restricted permission

[MrLuje]

Describe the bug
On the cluster I used, I don't have access to all namespaces.
Even if I specify my namespaces, it seems it try to get the resources through a cluster-scoped api instead of a namespaced one.

To Reproduce
Steps to reproduce the behavior:

1. Make sure you don't have access to all namespaces, ex :

$ kubectl get po -A
Error from server (Forbidden): pods is forbidden: User "u-wf3je4hm2h" cannot list resource "pods" in API group "" at the cluster scope

2. krr simple -n my_namespace
3. See error

Running Robusta's KRR (Kubernetes Resource Recommender) 1.0.0
Using strategy: Simple
Using formatter: table

[ERROR] Error trying to list pods in cluster k8s-prod: (403)
Reason: Forbidden
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"deployments.apps is forbidden: User \"u-wf3je4hm2h\" cannot list resource \"deployments\" in API group \"apps\" at the cluster
scope","reason":"Forbidden","details":{"group":"apps","kind":"deployments"},"code":403}

Expected behavior
It should be able to get the data if I have access to the specified namespace

Thank for krr, it's awesome :)

[mnbbrown]

#48 I had a similar challenge so have opened a PR.

[LeaveMyYard]

Update on this one: @mnbbrown has done a great job, but he did not sign the CLA so we can not merge it
We really hope he will come back, if not - we will make another PR

[ZodZekri]

same issue with me !!

[ZodZekri]

can someone merge the PR of @mnbbrown please

[aantn]

Hey all, we'd really like to merge but like most open source projects, we require a CLA signature before we can merge.

@mnbbrown if you have questions regarding the CLA, let me know.

The PR needs some updating due to recent changes we made elsewhere, but we can handle that on our end.

[ZodZekri]

@aantn Yes if you cant handle it it will be a pleasure thanks to try it

[ecourreges-orange]

Hello, I am not sure this is fully fixed,
Launching it today from a clone that includes this supposed fix commit, with command
python krr.py simple --namespace cclexploit-monitoring
I get the error below that shows that cluster scope requests are still made, here it's a get services which I am allowed on kubectl if i stay in my namespace.

ApiException: (403)
Reason: Forbidden
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"services is forbidden: User \"https://xxx/dex#ecourreges\" cannot list
resource \"services\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"services"},"code":403}

[saeidakbari]

I got the same issue while listing resources for Services

[rohank07]

Encountering the same issue

[aantn]

Does #220 fix this?

[ecourreges-orange]

Does #220 fix this?

It improves for sure compared to the main branch, now it does display the table of deployments for the namespace correctly, but it still tries to get HPA at cluster scope which is not allowed:

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"horizontalpodautoscalers.autoscaling is forbidden: User
                    \"https://mysite.com/dex#myuser\" cannot list resource \"horizontalpodautoscalers\" in API group \"autoscaling\" at the cluster
                    scope","reason":"Forbidden","details":{"group":"autoscaling","kind":"horizontalpodautoscalers"},"code":403}

[rohank07]

Does #220 fix this?

It improves for sure compared to the main branch, now it does display the table of deployments for the namespace correctly, but it still tries to get HPA at cluster scope which is not allowed:

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"horizontalpodautoscalers.autoscaling is forbidden: User
                    \"https://mysite.com/dex#myuser\" cannot list resource \"horizontalpodautoscalers\" in API group \"autoscaling\" at the cluster
                    scope","reason":"Forbidden","details":{"group":"autoscaling","kind":"horizontalpodautoscalers"},"code":403}

HPA detection is still broken on https://github.com/robusta-dev/krr/pull/220 (for now) but everything else should work

[aantn]

Can you try the lastest commit on #220?
I've added a fix for the HPA there.

Thanks for the patience!

[ecourreges-orange]

Can you try the lastest commit on #220? I've added a fix for the HPA there.

Thanks for the patience!

Good job, it works for me with no error now!

[aantn]

Wonderful, thanks.

In general, we're figuring out how to better support enterprise environments (w/ limited permissions and organizational difficulties in actually getting KRR's recommendations applied after a scan). If you're open to it, would love to chat and get feedback on related areas.

[ecourreges-orange]

Wonderful, thanks.

In general, we're figuring out how to better support enterprise environments (w/ limited permissions and organizational difficulties in actually getting KRR's recommendations applied after a scan). If you're open to it, would love to chat and get feedback on related areas.

I sent you a message on linkedIn for follow-up, happy to help.