feat(ui): actionable RestrictedState for RBAC-denied resources#975
Closed
nadaverell wants to merge 2 commits into
Closed
feat(ui): actionable RestrictedState for RBAC-denied resources#975nadaverell wants to merge 2 commits into
nadaverell wants to merge 2 commits into
Conversation
The forbidden empty state was a bare 'Access Restricted / Insufficient permissions'. Replace with a reusable RestrictedState component: plain-language framing for a non-k8s operator (states it's RBAC, not an empty cluster), and a 'How to get access' disclosure with a generic ClusterRole/ClusterRoleBinding snippet + 'Copy request' button to forward to whoever administers the cluster. Honest about cause (never claims tier vs custom-role) and chart-version-agnostic (generic YAML).
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit a24adcf. Configure here.
Bugbot triage on the forbidden-state component: - Expanded RBAC snippet could clip on short panes (absolute inset-0 centered, no scroll). Wrap in overflow-y-auto + min-h-full so it centers when collapsed and scrolls (no top clip) when expanded; cap the snippet at max-h-72. - selectedKind.name is the API plural in normal use but a CRD deep-link can transiently carry the Kind (HTTPRoute) before discovery resolves it, yielding a snippet that wouldn't grant access. Only inline the resource when it looks like a valid lowercase resource name; otherwise use a <resource> placeholder and a generic role name.
a24adcf to
75abdf4
Compare
Contributor
Author
|
Consolidated into #988 (cluster-scoped RBAC visibility). Same commits, one PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

What
The RBAC-denied resource list showed a bare "Access Restricted / Insufficient permissions to list X". For a non-k8s operator that's a dead end.
Introduces a reusable
RestrictedStatecomponent (exported from@skyhook-io/k8s-ui):ClusterRole/ClusterRoleBindingsnippet + Copy request button to forward to whoever administers the cluster (decision: don't route to the Hub org owner — they're often not the cluster RBAC admin).Wired into the resource list's
isSelectedForbiddenbranch; reusable by topology/search/the 'Your access' surface next.Relationship
Composes with radar#974 (backend surfaces denied core cluster-scoped kinds like Node as
forbidden): #974 makes this state trigger for Nodes/PVs; this PR makes the state useful. Independently improves already-forbidden namespaced kinds today.Verification
make tsc✓. visual-test: not run — the denied state needs an auth-mode cluster with a restricted identity to render; the component is self-contained + tsc-clean. Recommend a visual pass on a restricted cluster before/with the cluster-read rollout.Note
Low Risk
Presentation-only k8s-ui changes with no auth or API impact; clipboard copy is client-side.
Overview
Replaces the minimal "Access Restricted" message on forbidden resource lists with a shared
RestrictedStatecomponent that explains RBAC denial in plain language (distinct from empty clusters) and offers a "How to get access" section with a copyable genericClusterRole/ClusterRoleBindingrequest for cluster admins.ResourcesViewnow rendersRestrictedStatewith kind, API group, and resource plural whenisSelectedForbidden, and wraps it in a scrollable container so an expanded snippet isn’t clipped on short panes. The component validates resource names before inlining them in YAML (CRD deep-links may briefly pass Kind casing) and is exported from@skyhook-io/k8s-uifor reuse in topology, search, and access summary surfaces.Reviewed by Cursor Bugbot for commit 75abdf4. Bugbot is set up for automated code reviews on this repo. Configure here.