ClusterRole vs namespaced permissions

[universam1]

Looks like kube-janitor is expecting clusterrole permission level.

However for our least privileged approach we cannot grant clusterrole level permission.
@hjacobs could a namespace limited access via Role rather be supported?

│ 2020-03-11T15:53:13.726691299Z requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://10.100.0.1:443/api/v1/namespaces                            │
│ 2020-03-11T15:53:23.731598165Z 2020-03-11 15:53:23,731 DEBUG: Starting new HTTPS connection (1): 10.100.0.1                                                            │
│ 2020-03-11T15:53:23.73769914Z 2020-03-11 15:53:23,737 DEBUG: https://10.100.0.1:443 "GET /api/v1/namespaces HTTP/1.1" 403 297                                          │
│ 2020-03-11T15:53:23.738242474Z 2020-03-11 15:53:23,737 ERROR: Failed to clean up: 403 Client Error: Forbidden for url: https://10.100.0.1:443/api/v1/namespaces        │
│ 2020-03-11T15:53:23.738259476Z Traceback (most recent call last):                                                                                                      │
│ 2020-03-11T15:53:23.738264047Z   File "/kube_janitor/main.py", line 66, in run_loop                                                                                    │
│ 2020-03-11T15:53:23.738267899Z     clean_up(                                                                                                                           │
│ 2020-03-11T15:53:23.738271363Z   File "/kube_janitor/janitor.py", line 279, in clean_up                                                                                │
│ 2020-03-11T15:53:23.738274853Z     for namespace in Namespace.objects(api):                                                                                            │
│ 2020-03-11T15:53:23.738278123Z   File "/usr/local/lib/python3.8/site-packages/pykube/query.py", line 196, in __iter__                                                  │
│ 2020-03-11T15:53:23.738282166Z     return iter(self.query_cache["objects"])                                                                                            │
│ 2020-03-11T15:53:23.738285887Z   File "/usr/local/lib/python3.8/site-packages/pykube/query.py", line 186, in query_cache                                               │
│ 2020-03-11T15:53:23.738297474Z     cache["response"] = self.execute().json()                                                                                           │
│ 2020-03-11T15:53:23.738301192Z   File "/usr/local/lib/python3.8/site-packages/pykube/query.py", line 161, in execute                                                   │
│ 2020-03-11T15:53:23.738304959Z     r.raise_for_status()                                                                                                                │
│ 2020-03-11T15:53:23.738308315Z   File "/usr/local/lib/python3.8/site-packages/requests/models.py", line 940, in raise_for_status                                       │
│ 2020-03-11T15:53:23.738312089Z     raise HTTPError(http_error_msg, response=self) 

[hjacobs]

Yes, I think honoring --include-namespaces if it only has one option makes sense. We don't need to iterate over namespaces if they are already passed on the command line.

[universam1]

That would be amazing!
It would harmonize well with its possibility to run as a cron job, to deploy alongside an application

[hjacobs]

@universam1 would you be willing to do a PR?

[universam1]

sorry @hjacobs I have no exposure to python, golang guy :) But available to help testing!