Skip to content

Prune with namespace requires access to api group "" #1689

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Prune with namespace requires access to api group ""#1689
Labels
kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/cliCategorizes an issue or PR as relevant to SIG CLI.
@yoshivda

Description

@yoshivda
yoshivda
opened on Sep 23, 2024

What happened?

Our azure pipeline applies configurations to kubernetes with the Kubernetes@1 task using the apply command. This works fine, until I add prune -l tier=frontend as arguments. I see 2 error lines:

  1. Deprecated: kubectl apply will no longer prune non-namespaced resources by default when used with the --namespace flag in a future release. To preserve the current behaviour, list the resources you want to target explicitly in the --prune-allowlist flag.
  2. error pruning nonNamespaced object /v1, Kind=Namespace: namespaces is forbidden: User "" cannot list resource "namespaces" in API group "" at the cluster scope: User does not have access to the resource in Azure. Update role assignment to allow access.

The first one is picked up as an error by Azure, but should only be a warning. The second one is where I'm at a loss: why do I need access to this?

What did you expect to happen?

Given an explicit namespace, prune only the resources with matching labels within that namespace, do not require access to anything outside of that

How can we reproduce it (as minimally and precisely as possible)?

task: Kubernetes@1
displayName: Deploy to kubernetes
inputs:
command: apply
arguments: --prune -l tier=frontend
namespace: test
(azure & kubernetes details...)

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.9", GitCommit:"d15213f69952c79b317e635abff6ff4ec81475f8", GitTreeState:"clean", BuildDate:"2023-12-19T13:41:13Z", GoVersion:"go1.20.12", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v5.0.1
Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.9", GitCommit:"1c9860e7360c3f8147ae068e867eaab73b4a6257", GitTreeState:"clean", BuildDate:"2024-04-12T23:21:51Z", GoVersion:"go1.20.12", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider

AKS

OS version

No response

Install tools

No response

Container runtime (CRI) and version (if applicable)

No response

Related plugins (CNI, CSI, ...) and versions (if applicable)

No response

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/cliCategorizes an issue or PR as relevant to SIG CLI.

    Type

    No type

    Projects

    SIG CLI

    • Status

      Needs Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions