Provide documentation on role permissions needed

[tillepille]

As Platform team I would like to know how to craft a role for our developers so they can safely use kubecost via kubectl cost but can't break anything.

Also I don't want to find out by myself one step after the other when following the error messages e.g. :

$ kubectl cost namespace
Error: failed to query allocation API: failed to port forward query: failed to get service pods: failed to get service kubecost-cost-analyzer in namespace kubecost: services "kubecost-cost-analyzer" is forbidden: User "aws:123456789:example-user" cannot get resource "services" in API group "" in the namespace "kubecost"

gz#2059

(related to Zendesk ticket #2059)

[Adam-Stack-PM]

@michaelmdresser Any suggestions here?

[michaelmdresser]

Hi @tillepille, I'll do my best to help you out here. I'm not well-versed in Kubernetes access control, so I'll try to give you as much background as I can to help us find a solution. If we find room in our roadmap, we may be able to address this for you but it's likely that you'll find a solution before then.

On a role for your developers

First, I'll refer you to the "Implementation quirks" section of the README which has some extra information about how kubectl cost accesses Kubecost in your cluster. It either does a manual port-forward to a Kubecost Pod (default behavior), or proxies (--use-proxy) through the K8s API server. Both cases have different permissions requirements, but I think the error messages here are pretty clear. I have a few code point references that may help determine the necessary permissions.

Eyeballing the code, it looks like for port-forwarding you'll need:

• Services.Get() for whatever namespace Kubecost is in
• Pods.List() for whatever namespace Kubecost is in
• Whatever permissions this request requires

For proxy queries, you'll need permissions for this usage of ProxyGet(), which is defined in the K8s source here -- I think developers will need access to the K8s API server in some way, but I'm not sure of the exact required permissions.

In either case, we would sincerely appreciate a contribution if you discover a good set of permissions that enable either approach.

On error messages

one step after the other when following the error messages

Unfortunately, I'm not sure if I can improve this situation much. Go error messages can be verbose, but I find that helpful in situations like this where we're trying to find out what failed and why. Each layer of error is important context.

get resource "services" in API group "" in the namespace "kubecost"

That's a starting point for determining roles, and matches up with the Services.Get() callout I made earlier! So at least we're on the right track.

[tillepille]

Thanks for your answer, I'll test based on your information but only when #68 is resolved. I didn't test with my own cluster-admin account since we enabled the Okta integration at our instance. So I have to wait until then with testing.

[Adam-Stack-PM]

@tillepille, Thanks for this issue and interest. We will be reviewing #68 with the engineering team as a candidate for an upcoming release.