Bug 1288445 - Specifying both "--namespace" and "--all-namespaces" should work for "oc get" and "oc export" when run as cluster role
Summary: Specifying both "--namespace" and "--all-namespaces" should work for "oc get"...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: Seth Jennings
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-04 09:07 UTC by Xingxing Xia
Modified: 2019-07-03 15:03 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-03 15:03:33 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Xingxing Xia 2015-12-04 09:07:56 UTC
Description of problem:
When both "--namespace" and "--all-namespaces" are specified, "--namespace" should be ignored. See oc get -h

Version-Release number of selected component (if applicable):
openshift/oc v1.1-330-g693be19
kubernetes v1.1.0-origin-1107-g4c8e6f4

How reproducible:
Always

Steps to Reproduce:
1. Start openshift, oc login with user "xxia" and create two projects proj1, proj2
2. Make user "xxia" as cluster role (such as cluster-admin, view) so it can use "--all-namespaces"
$ oadm policy add-cluster-role-to-user view xxia --config=admin.kubeconfig
3. Get resources from all namespaces with "--namespace" given as well.
$ oc get pod --all-namespaces --namespace=proj1

Actual results:
3. It outputs:
the  namespace from the provided object "default" does not match the  namespace "". You must pass '--namespace=default' to perform this  operation.

Expected results:
3. "--namespace" should be ignored and the command should succeed.

Additional info:
oc export has the same problem.

Comment 1 Xingxing Xia 2015-12-04 10:05:08 UTC
Additional info:

For user that does not own cluster role, run "oc get" with "--all-namespaces" "--namespace" both given, it will prompt message like (This is expected, of course):
Error from server: User "user" cannot list all pods in the cluster.

I find, among all oc commands, only the following four commands have "--all-namespaces" option:
oc get, oc export, oadm policy who-can, oc policy who-can

*But* oadm policy who-can, oc policy who-can work fine:
$ oadm policy who-can get pods --all-namespaces -n proj1
It outputs:
Namespace: <all>
Verb:      get
Resource:  pods

Users:  system:serviceaccount:openshift-infra:build-controller
        system:serviceaccount:openshift-infra:deployment-controller
        system:serviceaccount:openshift-infra:pv-controller
        xxia
<-- snip -->

Comment 2 Fabiano Franz 2016-01-08 17:37:52 UTC
"--namespace" and "--all-namespaces" must be mutually exclusive.

Comment 3 Xingxing Xia 2016-01-11 03:05:31 UTC
In "oc get -h", after "--all-namespaces" it says: Namespace in current context is ignored even if specified with --namespace. The actual result of step 3 in bug description is confusing (Even if assume "--namespace" and "--all-namespaces" must be mutually exclusive)

Comment 4 Andy Goldstein 2016-01-11 16:12:22 UTC
Not a 3.1.1 blocker. Lowering severity.

Comment 5 Avesh Agarwal 2016-02-08 07:50:32 UTC
Sent following PR to address this issue:
https://github.com/kubernetes/kubernetes/pull/20802

Comment 7 Greg Blomquist 2019-07-03 15:03:33 UTC
Merged upstream 3 years ago.


Note You need to log in before you can comment on or make changes to this bug.