Spinnaker with restricted namspace access

问题

I am trying to setup spinnaker with kubernetes and getting an error: user cannot list namespace.

I don't have access to list namespace in cluster scope. Is it possible to set up and apply hal configuration without access to list namespaces at cluster scope? if yes, please let me know the steps.

Below I mention the command out for reference:

hal deploy apply
+ Get current deployment
  Success
- Prep deployment
  Failure
Problems in default.provider.kubernetes.my-k8s-account:
! ERROR Unable to communicate with your Kubernetes cluster: Failure
  executing: GET at: https://<company>/api/v1/namespaces. Message:
  Forbidden! User apc doesn't have permission. namespaces is forbidden: User
  "system:anonymous" cannot list namespaces at the cluster scope..
? Unable to authenticate with your Kubernetes cluster. Try using
  kubectl to verify your credentials.

- Failed to prep Spinnaker deployment

---

$ kubectl get ns
No resources found.
Error from server (Forbidden): namespaces is forbidden: User "ds:uid:2319639648" cannot list namespaces at the cluster scope

---

Regards, Ajaz

回答1:

Short answer: no.

You can try to get your admin to give you access to a ClusterRole+RoleBinding that has access to namespaces read.

Something like this:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace-reader
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-all-namespaces
subjects:
- kind: User
  name: your-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: namespace-reader
  apiGroup: rbac.authorization.k8s.io

回答2:

You can do it without ClusterRole. Tested, works as expected.

See instruction.

Configure Spinnaker to install in Kubernetes

Important: This will by default limit your Spinnaker to deploying to the namespace specified. If you want to be able to deploy to other namespaces, either add a second cloud provider target or remove the --namespaces flag.

Use the Halyard hal command line tool to configure Halyard to install Spinnaker in your Kubernetes cluster

hal config deploy edit \
  --type distributed \
  --account-name ${ACCOUNT_NAME} \
  --location ${NAMESPACE}

来源：https://stackoverflow.com/questions/52430241/spinnaker-with-restricted-namspace-access