--gc-tag feature doesn't work if it cannot list all the things #189

mkmik · 2018-02-15T23:24:45Z

I'm using kubecfg update foo.jsonnet --gc-tag=bar in a cluster with RBAC enabled and with an account that can create and list (almost) all objects in a few namespaces, but it cannot list many resource types in most of the other namespaces (e.g. secrets).

In this scenario the kubecfg GC feature cannot be used at all because it fails hard when it tries to list all resources in all namespaces (by using metav1.NamespaceAll)

apiservices.apiregistration.k8s.io is forbidden: User "system:serviceaccount:toolchain-web:toolchain-web-svcaccount" cannot list apiservices.apiregistration.k8s.io at the cluster scope

(The same kind of error happens when using e.g. kubectl get secret --all-namespaces)

My deployment spans a handful of namespaces; the jsonnet resource specify in which namespaces each object goes.

I'd like to be able to use the GC in this scenario.

The text was updated successfully, but these errors were encountered:

mkmik mentioned this issue Feb 16, 2018

Make GC work also with RBAC #190

Closed

anguslees added the bug label Feb 19, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

--gc-tag feature doesn't work if it cannot list all the things #189

--gc-tag feature doesn't work if it cannot list all the things #189

mkmik commented Feb 15, 2018

--gc-tag feature doesn't work if it cannot list all the things #189

--gc-tag feature doesn't work if it cannot list all the things #189

Comments

mkmik commented Feb 15, 2018