Use fallbackAllowedNamespaces to watch pods

prashantrewar · Sep 12, 2022 · 2b8e038 · 2b8e038
1 parent 6f32136
commit 2b8e038
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 12 deletions.
diff --git a/pkg/kapp/resources/identified_resources_pods.go b/pkg/kapp/resources/identified_resources_pods.go
@@ -5,6 +5,7 @@ package resources
 
 import (
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -35,28 +36,34 @@ func (w UniquePodWatcher) Watch(podsToWatchCh chan corev1.Pod, cancelCh chan str
 	go func() {
 		// Watch Pods in all namespaces first and fallback to the
 		// fallbackAllowedNamespaces if lack of permission
-		namespace := ""
-		index := 0
-		for {
+		namespaces := []string{""}
+		namespaces = append(namespaces, w.fallbackAllowedNamespaces...)
+		var forbiddenNamespaces []string
+
+		for _, namespace := range namespaces {
 			podWatcher := NewPodWatcher(
 				w.coreClient.CoreV1().Pods(namespace),
 				metav1.ListOptions{LabelSelector: w.labelSelector.String()},
 			)
-
 			err := podWatcher.Watch(nonUniquePodsToWatchCh, cancelCh)
-			if err != nil {
-				if !errors.IsForbidden(err) {
-					fmt.Printf("Pod watching error: %s\n", err) // TODO
+			if err == nil {
+				if namespace == "" {
 					break
 				}
+				continue
 			}
-
-			if len(w.fallbackAllowedNamespaces) > index {
-				namespace = w.fallbackAllowedNamespaces[index]
-				index++
+			if !errors.IsForbidden(err) {
+				fmt.Printf("Pod watching error: %s\n", err) // TODO
+				break
+			}
+			if namespace != "" {
+				forbiddenNamespaces = append(forbiddenNamespaces, fmt.Sprintf(`"%s"`, namespace))
 			}
 		}
 
+		if len(forbiddenNamespaces) > 0 {
+			fmt.Printf(`Pod watching error: pods is forbidden: User cannot list resource "pods" in API group "" in the namespace(s) %s`, strings.Join(forbiddenNamespaces, ", "))
+		}
 		close(nonUniquePodsToWatchCh)
 	}()
 

diff --git a/test/e2e/fallback_allowed_ns_test.go b/test/e2e/fallback_allowed_ns_test.go
@@ -158,9 +158,13 @@ data:
 `, env.Namespace, testNamespace)
 
 	logger.Section("deploy app using scoped context", func() {
-		kapp.RunWithOpts([]string{"deploy", "-a", appName, "-f", "-", fmt.Sprintf("--kubeconfig-context=%s", scopedContext)},
+		out, _ := kapp.RunWithOpts([]string{"deploy", "-a", appName, "-f", "-", fmt.Sprintf("--kubeconfig-context=%s", scopedContext)},
 			RunOpts{StdinReader: strings.NewReader(yaml1)})
 
+		// Expect pod watching error for the fallback allowed namespaces as listing pods is not allowed.
+		require.Contains(t, out, fmt.Sprintf(`Pod watching error: pods is forbidden: User cannot list resource "pods" in API group "" in the namespace(s) "%s", "%s"`,
+			env.Namespace, testNamespace))
+
 		NewPresentClusterResource("configmap", "cm-1", env.Namespace, kubectl)
 		NewPresentClusterResource("configmap", "cm-2", testNamespace, kubectl)
 		NewPresentClusterResource("configmap", "cm-3", testNamespace, kubectl)