Why does Spinnaker need to list namespaces when the namespaces are already known to it?

Question

Kubernetes namespaces are configured before Spinnaker is even deployed, so Spinnaker should be able to deploy into them in a namespace-restricted enterprise environment. But this answer says Spinnaker will not run in that setting: Spinnaker with restricted namspace access

Why does Spinnaker require read access to namespaces when those names are already known to it? Why does the error response contain the name of the namespace that it is trying to list?

I forked halyard so that it uses client.pods().list() to verify the k8 connection and it is able to deploy Spinnaker. Spinnaker seems to work as long as it takes namespace names from its cache. When it uses live-manifest-calls or refreshes its cache, namespace pulldowns stop working.

RocketRaccoon · Answer 1 · 2019-07-08T11:47:57.873

You don't need it actulally. Just proper configuration for Halyard and Spinnaker.

See instruction.

Configure Spinnaker to install in Kubernetes

Important: This will by default limit your Spinnaker to deploying to the namespace specified. If you want to be able to deploy to other namespaces, either add a second cloud provider target or remove the --namespaces flag.

Use the Halyard hal command line tool to configure Halyard to install Spinnaker in your Kubernetes cluster

hal config deploy edit \
  --type distributed \
  --account-name ${ACCOUNT_NAME} \
  --location ${NAMESPACE}

Why does Spinnaker need to list namespaces when the namespaces are already known to it?

1 Answers1