Cannot use cluster where I cannot list all nor get the current namespace but can use it

[adietish]

In the following steps a new context is created and used, where there's no current namespace. Furthermore the user is not allowed to list all namespaces nor inspect the current namespace (kubectl get namespace default fails) but it can be used to list pods within it (kubectl get pods -n default works).

Steps:

1. ASSERT: use minikube
2. EXEC: apply the following RBAC rules

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: can-read-pods
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: user1
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: can-read-pods
  apiGroup: rbac.authorization.k8s.io

3. EXEC: create a file user1.key with the following content:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCsIo1VZe4ueWPn
7MmH5ZaJZG/DVpfmeaB87uybHOO7WD0uLdyDY3lhJyv2F25gR85PgaKK6bzKUl0E
Jr3fk7u52Lb11vnlL00uMKueOtRYCAFMYi0bu0iaxYM1ZSdmEct30GKhHqSiRMZu
b8if741eA1KTuzs7cjzXFCCn+A4aVlth53wFxS1ghxT9sYpChN32qoABpfkyL+VK
+zV1kmes2VxbNWl0md1Gz67AwLSs+Nv6RHgLIRKfYZJuEdnL3xVXwK+/k96BKdsg
2vXC4P7jbLHktNeeOUacGSgDBVpWP50X9BZ8MBQAxmwNe9nqSrdB73AhrWQDLeGe
pGMCzapfAgMBAAECggEANfKYP/Dzrm4OASRlXul1/fZTzrEnZyysPyt0TQLHXrI/
bmciKq10351yuixKw/MNNj7HLekmaXRZwZDQxi7bUVoZsT+gTxM9iaHoT21ZmoNb
wNAuGfhev17yibv7lpIyJglRt/ROHasXU4pGItXlhNbevP0bibx6U9/zgiEMbnUp
jZ3BjOSfp/dsEbe+eP0dzDlbk38rgz6/V2i6i8Dyes4Fs/X/VvEBK0qmWsm8bVOC
FGzrJ2HnxzrXILHRezNnrkeroAn5pkfKzqqxBLIRZ5XP2sUSMUrBh9FUz2HSjNAO
aOnpQ+gzu2uV4vJFXY+IhqihDUHobE6B+ayqf+l2ZQKBgQDW48RUgMAMUcYx+1SC
DjCNWmJ2+PIJVIMikNh/HyHsG9JaecEvVkFcBfWhLYGYSKOUYy1pOm3AzUyWqVEG
CbTPLrsSlbv7uAlJ4ICCfpgp0x/CIMhUH0fFGeDhkx1yQL8zb1dR97lnOT9M9LxZ
1/VeMJRlGKHYk2gUklXSLxtyewKBgQDNEN6h8xXpN/7DRlF8+yHFSTbrNCehyZ4L
y0qHRLQYiEcbx9g7k9s0fcu0lAlu05+D4Nz+i9ZY2tFOjxDuBPjzOVBfdw+72HiK
vVPnivcv3eAlq5IQfOstLxm8vaJ4vkdYMOZgZei0Ux/hTQG6nbrLvQ4LoPd7YW19
03IBHLwEbQKBgQCL3JzpHw9gNU0ZNOqw50lkhwJ1StxFhFMBiWLPglTS1tzXdE1v
YOWTXnGboQGrOwP0zYQ97ACJL1X87WDF3EVpX5H0q645THQHOG6MAJdLCZWvBSU9
00okGA7M4rKUrV2EvaAIwoJSk+kGTnfUxgF2d4nuLtUQIAjq8r+W2IA1xwKBgQCf
Yq9H/OJY5LbVHECV/bNf3eoboevz6fs3e4iv3oyETNfIFepRVDiacfP0pOM4Cq//
FrVt+05cvabVgolMFv1QPonjyWynOjdmzoT6gJ5jy/Y+ET50JkO8WNGOS26OnoZh
W5CT+GGIVtt+iBYB8DqRxJ24GCKC+VTa6Y/AoY7ZeQKBgFiVVlYAOsXZTmF3MOgg
fAa46lVNHKwCxDngDgZBwRmuSeKWrkrq4LCOCCWDPnFYtfwgGPY+YillVB5BKY5j
ngGZgfX2htVIv8uTjf0XVj4OPrhmKXbMPKikBBo0VwBlzTUuTDxIZuV5nALvDuOx
FhGi/CTOb9XYI/Na24fOOZjd
-----END PRIVATE KEY-----

4. EXEC: create a new user context and switch to it

openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=group1"
openssl x509 -req -in user1.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out user1.crt -days 500
kubectl config set-credentials user1 --client-certificate=user1.crt --client-key=user1.key
kubectl config set-context user1-context --cluster=minikube --user=user1
kubectl config use-context user1-context

Result:
I have no resource tree to work with. I am shown the 3 buttons to login, choose a context (where user1-context is not listed because it's the current one) or add an openshift cluster.

For the context:

$ oc auth can-i get namespace
no
$ oc auth can-i get pod
yes
$ oc get namespaces
Error from server (Forbidden): namespaces is forbidden: User "user1" cannot list resource "namespaces" in API group "" at the cluster scope
$ oc get pod -n default
NAME                           READY   STATUS             RESTARTS        AGE
sise-deploy-69d88467b4-vhfsd   0/1     CrashLoopBackOff   94 (2m5s ago)   8h

Expected result:
I should be able to see the resource tree with the current namespace.

[vrubezhny]

@adietish Just curious... For such a cluster, what happens if you execute oc projects?

[vrubezhny]

@adietish Could you please take a look at #4122 is it fixes the problem for you?

The PR #4122 adds an additional item Manually set active project/namespace to Set Active Project/Namespace quick pick, so user can type in a custom project name to be set as active even if list of projects cannot be obtained. Does this help or the cluster still remains not usable?

Also, it's interesting to see if there's any other problems appear while using your custom cluster configuration.

[adietish]

@adietish Just curious... For such a cluster, what happens if you execute oc projects?

I am not sure, I didnt test it but I'd think that you are told that listing projects is forbidden (401). I only tested kubernetes which behaves exactly in this way.
I'll test your PR 👍