Description
What happened:
Usually, when we think about using diff to compare two things - write access is not required. In this case, it seems kubectl diff requires write access to compare the current and future state. This might be an upstream problem if this is due to the server side apply.
When doing kubectl diff on a Deployment:
Error from server (Forbidden): deployments.extensions "my-super-deployment" is forbidden:
User "myuser" cannot patch resource "deployments" in API group "extensions" in the namespace
"mynamespace": requires one of ["container.deployments.update"] permission(s).
It seems to require PATCH / PUT permission under /apis/apps/v1/namespaces/{namespace}/deployments/* or older /apis/extensions/v1beta1/namespaces/{namespace}/deployments/*.
What you expected to happen:
Diff output to be shown.
How to reproduce it (as minimally and precisely as possible):
Attempt to diff a Deployment resource from a user lacking write access to the deployment. The permission in the example above is mapped to GKE specifically.
Anything else we need to know?:
Environment:
- Kubernetes client and server versions (use
kubectl version):
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df", GitTreeState:"clean", BuildDate:"2020-10-14T12:50:19Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"15+", GitVersion:"v1.15.12-gke.20", GitCommit:"0ac5f81eecab42bff5ef74f18b99d8896ba7b89b", GitTreeState:"clean", BuildDate:"2020-09-09T00:48:20Z", GoVersion:"go1.12.17b4", Compiler:"gc", Platform:"linux/amd64"}
- Cloud provider or hardware configuration: Google, GKE
- OS (e.g:
cat /etc/os-release): n/a