Allow to run on specific namespaces with restricted permission about krr HOT 16 CLOSED

Wonderful, thanks.

In general, we're figuring out how to better support enterprise environments (w/ limited permissions and organizational difficulties in actually getting KRR's recommendations applied after a scan). If you're open to it, would love to chat and get feedback on related areas.

from krr.

#48 I had a similar challenge so have opened a PR.

from krr.

Hello, I am not sure this is fully fixed,
Launching it today from a clone that includes this supposed fix commit, with command
python krr.py simple --namespace cclexploit-monitoring
I get the error below that shows that cluster scope requests are still made, here it's a get services which I am allowed on kubectl if i stay in my namespace.

ApiException: (403)
Reason: Forbidden
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"services is forbidden: User \"https://xxx/dex#ecourreges\" cannot list
resource \"services\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"services"},"code":403}

from krr.

Can you try the lastest commit on #220?
I've added a fix for the HPA there.

Thanks for the patience!

from krr.

Update on this one: @mnbbrown has done a great job, but he did not sign the CLA so we can not merge it
We really hope he will come back, if not - we will make another PR

from krr.

same issue with me !!

from krr.

can someone merge the PR of @mnbbrown please

from krr.

Hey all, we'd really like to merge but like most open source projects, we require a CLA signature before we can merge.

@mnbbrown if you have questions regarding the CLA, let me know.

The PR needs some updating due to recent changes we made elsewhere, but we can handle that on our end.

from krr.

@aantn Yes if you cant handle it it will be a pleasure thanks to try it

from krr.

I got the same issue while listing resources for Services

from krr.

Encountering the same issue

from krr.

Does #220 fix this?

from krr.

Does #220 fix this?

It improves for sure compared to the main branch, now it does display the table of deployments for the namespace correctly, but it still tries to get HPA at cluster scope which is not allowed:

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"horizontalpodautoscalers.autoscaling is forbidden: User
                    \"https://mysite.com/dex#myuser\" cannot list resource \"horizontalpodautoscalers\" in API group \"autoscaling\" at the cluster
                    scope","reason":"Forbidden","details":{"group":"autoscaling","kind":"horizontalpodautoscalers"},"code":403}

from krr.

Does #220 fix this?

It improves for sure compared to the main branch, now it does display the table of deployments for the namespace correctly, but it still tries to get HPA at cluster scope which is not allowed:

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"horizontalpodautoscalers.autoscaling is forbidden: User
                    \"https://mysite.com/dex#myuser\" cannot list resource \"horizontalpodautoscalers\" in API group \"autoscaling\" at the cluster
                    scope","reason":"Forbidden","details":{"group":"autoscaling","kind":"horizontalpodautoscalers"},"code":403}

HPA detection is still broken on https://github.com/robusta-dev/krr/pull/220 (for now) but everything else should work

from krr.

Can you try the lastest commit on #220? I've added a fix for the HPA there.

Thanks for the patience!

Good job, it works for me with no error now!

from krr.

Wonderful, thanks.

In general, we're figuring out how to better support enterprise environments (w/ limited permissions and organizational difficulties in actually getting KRR's recommendations applied after a scan). If you're open to it, would love to chat and get feedback on related areas.

I sent you a message on linkedIn for follow-up, happy to help.

from krr.