Namespace-Level Permission Check if Cluster-level fail

[Jaguar-Kwok]

If a user lacks permission to access all pods at the cluster level, the system should attempt to verify the user's permissions at the namespace level. If the user has the necessary permissions, the relevant pods should be displayed, rather than presenting a 'no permission' message, especially the user have GET cluster-level namespace permission but not GET cluster-level pod permission.

[joaquimrocha]

@Jaguar-Kwok , if you do not have access for all namespaces, you can set up your accessible namespaces in the cluster settings.
Does this help your case?

[Jaguar-Kwok]

@joaquimrocha Thank you for your reply.
Yes, I am using the method mentioned. However the reason I would like to propose an enhancement is because currently, I have a group of users who need access to about 30 namespaces per cluster and across multiple clusters and URLs. Adding each namespace individually is time-consuming and cumbersome. To improve the user experience, I suggest implementing an automated namespace permission discovery or allowing the addition of multiple namespaces at once, using a semicolon (;) as the delimiter.

[joaquimrocha]

@Jaguar-Kwok , I see. Given that one may not have the permissions to list all namespaces, I am not sure an auto detection would work. But we can add the comma separated parsing.

Also, if you have a group of users that are using Headlamp, you can create a plugin that simply adds a certain list of namespaces as the allowed ones, so all users will have this list by default at least.
This can be done by setting the cluster settings with the allowed namespaces there. But maybe we can make this easier by exporting some of the helper functions to accomplish this.

[Garagoth]

I would definitely expect that if user CAN list all namespaces and CAN list pods in some of those namespaces then he can see only namespaces where he has any permissions and pods from those namespaces ass well.
Without any configuration from user like entering namespaces that he is supposed to see.

[Garagoth]

Also I think this is connected with #752.

[dal13002]

We are also having this problem. I understand we can ask users to set the accessible namespaces in the cluster settings but this is not the best user experience when a user has a lot of namespaces to manage. I know other dashboards, like Skooner (which I don't want to use since it doesn't seem like it is maintained anymore) require "List all namespaces" permissions for all users, which is reasonable since there is no other way to know what namespaces exist. But once the user uses "filter" to drill down to a specific namespace all the API calls are made using that namespace filter. I think headlamp has room to improve here. Basically, I believe headlamp works like this:

1. User with access to only "default" namespace + list all namespaces logs into headlamp
2. User goes to "Workloads" -> "Pods" tab. We see "Error: No permissions", which makes sense since he hasn't filtered
3. User selects "default" namespace under the namespace filter (which he can do since he sees all namespaces). Today, we still see "Error: No permissions" unless the user added "default" in accessible namespaces. We see in the network tab headlamp calls clusters/main/api/v1/pods even with the "default" namespace selected. If we add "default" namespace in the accessible namespaces, we see in the network tab headlamp calls /clusters/main/api/v1/namespaces/default/pods. I would like headlamp to call /clusters/main/api/v1/namespaces/default/pods just based on namespace filter and not related to accessible namespaces.

[dal13002]

@joaquimrocha just wondering if what I said makes sense or you see problems with the logic. I don't expect this to be a high priority to fix but just hoping to get some visibility on this and see if it is possible to implement this in the future