make login, project, and discovery work against kube with RBAC enabled

Author: deads2k

hack/dind-cluster.sh

@@ -220,6 +220,9 @@ function wait-for-cluster() {
   local oc
   oc="$(os::build::find-binary oc)"
 
+  # wait for healthz to report ok before trying to get nodes
+  os::util::wait-for-condition "ok" "${oc} get --config=\"${kubeconfig}\" --raw=/healthz" "120"
+
   local msg="${expected_node_count} nodes to report readiness"
   local condition="nodes-are-ready ${kubeconfig} ${oc} ${expected_node_count}"
   local timeout=120

pkg/cmd/cli/cmd/login/helpers.go

@@ -130,7 +130,7 @@ func whoAmI(clientConfig *restclient.Config) (*api.User, error) {
 	me, err := client.Users().Get("~")
 
 	// if we're talking to kube (or likely talking to kube),
-	if kerrors.IsNotFound(err) {
+	if kerrors.IsNotFound(err) || kerrors.IsForbidden(err) {
 		switch {
 		case len(clientConfig.BearerToken) > 0:
 			// the user has already been willing to provide the token on the CLI, so they probably

pkg/cmd/cli/cmd/login/loginoptions.go

@@ -263,7 +263,7 @@ func (o *LoginOptions) gatherProjectInfo() error {
 
 	projectsList, err := oClient.Projects().List(kapi.ListOptions{})
 	// if we're running on kube (or likely kube), just set it to "default"
-	if kerrors.IsNotFound(err) {
+	if kerrors.IsNotFound(err) || kerrors.IsForbidden(err) {
 		fmt.Fprintf(o.Out, "Using \"default\".  You can switch projects with '%s project <projectname>':\n\n", o.CommandName)
 		o.Project = "default"
 		return nil

pkg/cmd/cli/cmd/project.go

@@ -281,11 +281,11 @@ func (o ProjectOptions) RunProject() error {
 
 func confirmProjectAccess(currentProject string, oClient *client.Client, kClient kclient.Interface) error {
 	_, projectErr := oClient.Projects().Get(currentProject)
-	if !kapierrors.IsNotFound(projectErr) {
+	if !kapierrors.IsNotFound(projectErr) && !kapierrors.IsForbidden(projectErr) {
 		return projectErr
 	}
 
-	// at this point we know the error is a not found, but we'll test namespaces just in case we're running on kube
+	// at this point we know the error is a not found or forbidden, but we'll test namespaces just in case we're running on kube
 	if _, err := kClient.Namespaces().Get(currentProject); err == nil {
 		return nil
 	}
@@ -299,7 +299,8 @@ func getProjects(oClient *client.Client, kClient kclient.Interface) ([]api.Proje
 	if err == nil {
 		return projects.Items, nil
 	}
-	if err != nil && !kapierrors.IsNotFound(err) {
+	// if this is kube with authorization enabled, this endpoint will be forbidden.  OpenShift allows this for everyone.
+	if err != nil && !(kapierrors.IsNotFound(err) || kapierrors.IsForbidden(err)) {
 		return nil, err
 	}
 

pkg/cmd/cli/config/smart_merge.go

@@ -63,7 +63,7 @@ func getUserPartOfNickname(clientCfg *restclient.Config) (string, error) {
 		return "", err
 	}
 	userInfo, err := client.Users().Get("~")
-	if kerrors.IsNotFound(err) {
+	if kerrors.IsNotFound(err) || kerrors.IsForbidden(err) {
 		// if we're talking to kube (or likely talking to kube), take a best guess consistent with login
 		switch {
 		case len(clientCfg.BearerToken) > 0:

pkg/cmd/util/clientcmd/negotiate.go

@@ -36,7 +36,7 @@ func negotiateVersion(client *kclient.Client, config *restclient.Config, request
 	// Get server versions
 	serverGVs, err := serverAPIVersions(client, "/oapi")
 	if err != nil {
-		if errors.IsNotFound(err) {
+		if errors.IsNotFound(err) || errors.IsForbidden(err) {
 			glog.V(4).Infof("Server path /oapi was not found, returning the requested group version %v", preferredGV)
 			return preferredGV, nil
 		}