Environments with selected Kubernetes Namespace should not require clusterroles to display resources
Proposal
We should consider using a text input when user is not allowed to list the namespaces in the cluster.
- Update the namespace selector to add the possibility of a free text entry:
- Update the related error alert text:
You don't have permission to view all the namespaces in the cluster. If a namespace is not shown, you can still enter its name to select it.
Context
As per #421212, in order to select a namespace under the environment, the authorized user should have the ability to list all namespaces on the cluster which requires the user to be assigned a ClusterRole with respective permissions.
As a cluster administrator, I would like to have one agent per namespace & per environment. This agent should be allowed to manage resources only within this namespace. I would like to not give the agent access to Cluster-wide resources.
When I try to configure Kubernetes resources visualization for an environment, I wish to input a namespace. I wish to only see resources in this namespace. However, when I go to configure it, I receive Forbidden to access the cluster agent from this environment.
error:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "namespaces is forbidden: User \"system:serviceaccount:gitlab-agent-k8s-install:agent-ns-sa\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "namespaces"
},
"code": 403
}
We should consider using a text input for such users than a dropdown if it is not allowed to list the namespaces in the cluster.
This feature is requested by a customer. For more information, check out this internal ticket.