Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

portForwarding requires access outside developer's namespace #2599

Closed
ramukima opened this issue Aug 2, 2019 · 7 comments
Closed

portForwarding requires access outside developer's namespace #2599

ramukima opened this issue Aug 2, 2019 · 7 comments
Assignees
@tejal29
Labels
area/portforward kind/bug Something isn't working priority/p1 High impact feature/bug.

Comments

@ramukima
Copy link

ramukima commented Aug 2, 2019

Expected behavior

Resource search for port-forwarding must be scoped to the namespace specified in PortForwardResource.

Actual behavior

Failed to port forward with k8s RBAC error - User does not have access to view resource at Cluster level.

Information

  • Skaffold version: 0.34
  • Operating system: OSX
  • Contents of skaffold.yaml:
apiVersion: skaffold/v1beta13
kind: Config
build:
  artifacts:
  - image: <...>/simple-service
deploy:
  kubectl:
    manifests:
    - k8s/*
portForward:
- resourceType: Service
  resourceName: simple-service
  namespace: ramukima
  port: 8080
  localPort: 8080

Steps to reproduce the behavior

  1. Developer does not have access to CRUD any resource outside of his/her own namespace
  2. kubeconfig uses user's access token
  3. skaffold dev --port-forward

Example Reference requiring Cluster level access for resource lookup - https://github.com/GoogleContainerTools/skaffold/blob/master/pkg/skaffold/kubernetes/portforward/resource_forwarder.go#L109
@ramukima ramukima changed the title portForwarding requires access outside my namespace portForwarding requires access outside developer's namespace Aug 2, 2019
@balopat balopat added kind/bug Something isn't working priority/p1 High impact feature/bug. labels Aug 2, 2019
@balopat balopat mentioned this issue Aug 2, 2019
Closed
@balopat
Copy link
Contributor

balopat commented Aug 2, 2019

Thank you for filing this!
I agree, this should work - the following way: user should be able to narrow Skaffold to a namespace via the namespace setting (--namespace or SKAFFOLD_NAMESPACE env var) - however on that exact line we don't pass the namespace currently.

@balopat
Copy link
Contributor

balopat commented Aug 2, 2019

Also related to #2502

@corneliusweig
Copy link
Contributor

Also see #2495 (comment)

@tejal29 tejal29 self-assigned this Aug 12, 2019
@tejal29
Copy link
Contributor

tejal29 commented Aug 12, 2019

Depends in #2640

@balopat balopat mentioned this issue Aug 14, 2019
Closed
@priyawadhwa priyawadhwa mentioned this issue Aug 14, 2019
Closed
@priyawadhwa
Copy link
Contributor

Hey @ramukima we just merged #2651 which should fix this issue -- would you be able to test the bleeding edge binary and see if that solves your issue? Installation instructions can be found here

@ramukima
Copy link
Author

@priyawadhwa Thank you for the fix. I tried it on my mac and it works perfectly fine. This issue can be marked fixed.

The only follow up question is -

Do I have to explicitly specify --port-forward to skaffold, even if I have a portForward resource specified in skaffold.yaml ?

@ramukima
Copy link
Author

Never mind - https://skaffold.dev/docs/how-tos/portforward/ clearly specifies - "Port forwarding is set to false by default; it is enabled with the --port-forward flag. If this flag is not set, no port forwarding will occur". Closing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tejal29 tejal29

Labels
area/portforward kind/bug Something isn't working priority/p1 High impact feature/bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@balopat @tejal29 @ramukima @priyawadhwa @corneliusweig