Skip to content

Cannot decode secret if there is no get permissions for all secrets #3735

New issue
New issue
Open
Open
Cannot decode secret if there is no get permissions for all secrets#3735
Labels
bugSomething isn't workingin-progressMark issue as being worked on
@sylvainmetayer

Description

@sylvainmetayer
sylvainmetayer
opened on Dec 19, 2025




Describe the bug

I'm trying to restrict access to secrets, and want to be able to allow to list secret, but only edit/see one of them. With kubectl ,this works fine, however with k9s, I can't decode secret.

I allow access to the following ressources (via rancher) :

  # List secrets, but cannot see them
  - apiGroups: [""]
    resources:
      - secrets
    verbs:
      - list
      - watch
  # Edit one specific secret
  - apiGroups: [""]
    resources:
      - secrets
    resourceNames:
      - dsi
    verbs:
      - get
      - list
      - watch
      - update
      - patch

To Reproduce
Steps to reproduce the behavior:

  • Open k9s
  • Go to secrets : secrets are listed
  • Try to see one secret, which isn't dsi : Denied, that's intended behaviour
  • Try to get detail on dsi secret, working as expected
  • Try to decode secret dsi : error Ruroh? (get) access denied for user on resource "":v1/secrets in namespace

However, with the same kubeconfig, if I run the kubectl command, I have no error :

kubectl get secrets/dsi --kubeconfig kubeconfig-test.yaml  -n project-preprod -o yaml
apiVersion: v1
data: REDACTED
kind: Secret
metadata:
  name: dsi
  namespace: project-preprod
type: Opaque

Historical Documents
When applicable please include any supporting artifacts: k9s debug logs, configurations, resource manifests, ...

k9s logs :

2025-12-19T10:15:10+01:00 DBG History (exec) stack="v1/secrets project-preprod"
2025-12-19T10:15:14+01:00 ERR reconcile failed gvr=v1/secrets error="secrets \"others\" is forbidden: User \"u-5wfht\" cannot get resource \"secrets\" in API group \"\" in the namespace \"project-preprod\""
2025-12-19T10:15:14+01:00 ERR LiveView refresh failed error="secrets \"others\" is forbidden: User \"u-5wfht\" cannot get resource \"secrets\" in API group \"\" in the namespace \"project-preprod\""
2025-12-19T10:15:51+01:00 DBG [CAN] access subsys=client subsys=can gvr=v1/secrets ns=project-preprod res-name="" verb=[get]
2025-12-19T10:15:51+01:00 DBG [CAN] response subsys=client subsys=can auth-status=false auth-reason=""
2025-12-19T10:15:51+01:00 ERR reconcile failed gvr=v1/secrets error="(get) access denied for user on resource \"\":v1/secrets in namespace \"project-preprod\""
2025-12-19T10:15:51+01:00 ERR LiveView refresh failed error="(get) access denied for user on resource \"\":v1/secrets in namespace \"project-preprod\""
2025-12-19T10:16:22+01:00 ERR reconcile failed gvr=v1/secrets error="[get] access denied on resource \"project-preprod\":\"v1/secrets\""
2025-12-19T10:16:22+01:00 ERR LiveView refresh failed error="[get] access denied on resource \"project-preprod\":\"v1/secrets\""

Expected behavior

Be able to decode the secret from k9s

Versions (please complete the following information):

  • OS: Fedora 42
  • K9s:
Version:    v0.50.16
Commit:     3c37ca2197ca48591566d1f599b7b3a50d54a408
Date:       2025-10-19T15:52:37Z
  • K8s:
Client Version: v1.29.15
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingin-progressMark issue as being worked on

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions