Skip to content

Commit

Permalink
kubeconfig: remove default namespace from crc-developer context
Browse files Browse the repository at this point in the history
the 'developer' user don't have the required role-bindings to access
the 'default' namespace and when user tries to access it we get:

```
Error from server (Forbidden): pods is forbidden: User "developer" cannot list resource "pods" in API group "" in the namespace "default"
```
with the changes in this commit, we get a better error message:

```
$ oc config get-contexts
CURRENT   NAME            CLUSTER                AUTHINFO                         NAMESPACE
          crc-admin       api-crc-testing:6443   kubeadmin/api-crc-testing:6443   default
*         crc-developer   api-crc-testing:6443   developer/api-crc-testing:6443

$ oc project
No project has been set. Pass a project name to make that the default.

$ oc project demo
error: You are not a member of project "demo".
You are not a member of any projects. You can request a project to be created with the 'new-project' command.
```

fixes crc-org/snc#703
  • Loading branch information
anjannath committed Nov 4, 2024
1 parent 0342835 commit aaf0e2e
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 12 deletions.
8 changes: 4 additions & 4 deletions pkg/crc/machine/kubeconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,15 +72,15 @@ func writeKubeconfig(ip string, clusterConfig *types.ClusterConfig, ingressHTTPS
if err != nil {
return err
}
if err := addContext(cfg, clusterConfig.ClusterAPI, adminContext, "kubeadmin", kubeadminToken); err != nil {
if err := addContext(cfg, clusterConfig.ClusterAPI, adminContext, "kubeadmin", kubeadminToken, "default"); err != nil {
return err
}

developerToken, err := getTokenForUser("developer", "developer", ip, ca, clusterConfig, ingressHTTPSPort)
if err != nil {
return err
}
if err := addContext(cfg, clusterConfig.ClusterAPI, developerContext, "developer", developerToken); err != nil {
if err := addContext(cfg, clusterConfig.ClusterAPI, developerContext, "developer", developerToken, ""); err != nil {
return err
}

Expand Down Expand Up @@ -142,7 +142,7 @@ func hostname(clusterAPI string) (string, error) {
return strings.ReplaceAll(h, ".", "-"), nil
}

func addContext(cfg *api.Config, clusterAPI, context, username, token string) error {
func addContext(cfg *api.Config, clusterAPI, context, username, token, namespace string) error {
host, err := hostname(clusterAPI)
if err != nil {
return err
Expand All @@ -160,7 +160,7 @@ func addContext(cfg *api.Config, clusterAPI, context, username, token string) er
cfg.Contexts[context] = &api.Context{
Cluster: host,
AuthInfo: clusterUser,
Namespace: "default",
Namespace: namespace,
}
return nil
}
Expand Down
27 changes: 19 additions & 8 deletions pkg/crc/machine/kubeconfig_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,29 +160,40 @@ func Test_addContext(t *testing.T) {
username string
context string
token string
namespace string
}

type expected struct {
user string
namespace string
}

tests := []struct {
in input
expected string
expected expected
}{
{
input{"https://abcdd.api.com", "foo", "foo@abcdd", "secretToken"},
"foo/abcdd-api-com",
input{"https://abcdd.api.com", "foo", "foo@abcdd", "secretToken", "kube-system"},
expected{"foo/abcdd-api-com", "kube-system"},
},
{
input{"https://api.crc.testing:6443", "kubeadmin", "kubeadm", "secretToken", "default"},
expected{"kubeadmin/api-crc-testing:6443", "default"},
},
{
input{"https://api.crc.testing:6443", "kubeadmin", "kubeadm", "secretToken"},
"kubeadmin/api-crc-testing:6443",
input{"https://api.crc.testing:6443", "kubeadmin", "kubeadm", "secretToken", ""},
expected{"kubeadmin/api-crc-testing:6443", ""},
},
}

cfg := api.NewConfig()

for _, tt := range tests {
err := addContext(cfg, tt.in.clusterAPI, tt.in.context, tt.in.username, tt.in.token)
err := addContext(cfg, tt.in.clusterAPI, tt.in.context, tt.in.username, tt.in.token, tt.in.namespace)
assert.NoError(t, err)
assert.Contains(t, cfg.Contexts, tt.in.context, "Expected context not found")
assert.Contains(t, cfg.AuthInfos, tt.expected, "Expected AuthInfo not found")
assert.Contains(t, cfg.AuthInfos[tt.expected].Token, tt.in.token, "Expected token not found")
assert.Equal(t, cfg.Contexts[tt.in.context].Namespace, tt.expected.namespace, "Expected namespace not found")
assert.Contains(t, cfg.AuthInfos, tt.expected.user, "Expected AuthInfo not found")
assert.Contains(t, cfg.AuthInfos[tt.expected.user].Token, tt.in.token, "Expected token not found")
}
}

0 comments on commit aaf0e2e

Please sign in to comment.