Kishore Puvvada:
Should I really have the ability to delete that pod? In one of the https://kodekloud.com/topic/practice-test-role-based-access-controls-2/|labs, I tested using auth can-i whether the user dev-user can delete pods. But, when I actually pressed on to do the delete, it seems to have gone through just fine. I could swear some other operations did not behave this way. So, I am missing an option on the auth can-i command? Pl say yes.
>
controlplane ~ ✖ k auth can-i delete pod -n blue --as dev-user
> no
>
> controlplane ~ ✖ k get pods -n blue
> NAME READY STATUS RESTARTS AGE
> blue-app 1/1 Running 0 6m59s
> dark-blue-app 1/1 Running 0 6m59s
>
> controlplane ~ ➜ k delete pod blue-app -n blue --as dev-user
> pod "blue-app" deleted
> W0223 03:24:34.511707 9445 reflector.go:424] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: failed to list *unstructured.Unstructured: pods "blue-app" is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "blue"
> E0223 03:24:34.511899 9445 reflector.go:140] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: pods "blue-app" is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "blue"
> W0223 03:24:35.369727 9445 reflector.go:424] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: failed to list *unstructured.Unstructured: pods "blue-app" is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "blue"
> E0223 03:24:35.369772 9445 reflector.go:140] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: pods "blue-app" is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "blue"