Skip to content

feat: enhance namespace handling and resource access in Kubernetes#1082

Open
FinnGrndl wants to merge 4 commits into
skyhook-io:mainfrom
FinnGrndl:main
Open

feat: enhance namespace handling and resource access in Kubernetes#1082
FinnGrndl wants to merge 4 commits into
skyhook-io:mainfrom
FinnGrndl:main

Conversation

@FinnGrndl

@FinnGrndl FinnGrndl commented Jul 2, 2026

Copy link
Copy Markdown
  • Add support for multiple fallback namespaces in resource access checks.
  • Implement caching for resource permissions with namespace scope.
  • Update server to manage user-specific namespace preferences, including initial configuration from command-line flags.
  • Introduce union indexers for resource caches to handle multi-namespace scenarios.
  • Enhance resource cache to support multiple namespaces for scoped resources, allowing for more granular access control.
  • Add tests to verify the behavior of new namespace handling features and ensure correctness of resource access logic.

Description

Brief description of the changes in this PR.

Type of change

  • Bug fix (non-breaking change that fixes an issue)
  • [ X] New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

How has this been tested?

Describe the tests you ran to verify your changes.

  • [ X] Tested locally with minikube/kind
  • Tested against a remote cluster
  • Added/updated unit tests

Checklist

  • [ X] My code follows the project's coding standards
  • [ X] I have performed a self-review of my code
  • [ X] I have added comments where necessary
  • [ X] My changes generate no new warnings
  • Any dependent changes have been merged

Related issues


Note

Medium Risk
Changes informer wiring and RBAC scope discovery for namespace-restricted users, which affects what data appears in the cache and UI; scope is broad across bootstrap, k8s permissions, and k8score cache but is covered by new tests and guarded startup validation for --namespace-scope.

Overview
Adds --namespaces (and persisted namespaces in ~/.radar/config.json) so operators can seed multiple initial namespace picks when cluster-wide namespace listing is denied. CLI/desktop/explorer resolve --namespace vs --namespaces with mutual-exclusion when both are set explicitly; --namespace-scope still allows only one namespace and rejects multiple --namespaces values at startup.

RBAC probing now records every namespace where a kind is listable (ScopeNamespaces) instead of stopping at the first grant, and the shared ResourceCache can run per-namespace informers merged through a union indexer so listers cover several namespaces. Startup/browser/desktop redirects pass a ?namespaces= query when that list is configured.

The server seeds per-user namespace preferences from --namespaces (auth sessions) or from saved local picks when present; clearing a pick stores an empty selection instead of deleting the key so configured defaults are not re-applied unintentionally.

Reviewed by Cursor Bugbot for commit e641f69. Bugbot is set up for automated code reviews on this repo. Configure here.

- Add support for multiple fallback namespaces in resource access checks.
- Implement caching for resource permissions with namespace scope.
- Update server to manage user-specific namespace preferences, including initial configuration from command-line flags.
- Introduce union indexers for resource caches to handle multi-namespace scenarios.
- Enhance resource cache to support multiple namespaces for scoped resources, allowing for more granular access control.
- Add tests to verify the behavior of new namespace handling features and ensure correctness of resource access logic.
Comment thread internal/server/namespace_scope.go Outdated

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 2fa1467. Configure here.

Comment thread pkg/k8score/cache.go Outdated
Comment thread cmd/explorer/main.go Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant