Don't automatically create namespace if it does not exist

[meain]

Briefly describe the feature

As of now, if the user selects a namespace when specifying a project-user-role mapping which does not exist, we create the namespace on the first use. This is done as we rely on the namespace being available to generate SA and other necessary resources, but it would be better to not create the namespace and just return with error/empty if they try to access it.

What problem does this feature solve? Please link any relevant documentation or Issues

Make the behavior of missing namespaces more to what people might expect out of the box.

(optional) What is your current workaround?

-

[niravparikh05]

As part of this fix, Paralus will not create a namespace if it does not exists whenever a namespaced role is associated to any user. It is the responsibility of the admin to ensure a valid existant namespace is provided during role association.

User will see below error messsage while trying to access details from a namespace that does not exist in target cluster

Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:paralus-system:nsadmin-64paralus-46local" cannot list resource "pods" in API group "" in the namespace "paralus"

[akshay196]

@niravparikh05 Adding needs-triage label to this issue. Please confirm if it is already triaged and good to be work on.

[akshay196]

I have verified this issue on my side. Attaching recording that shows namespace (named ns-read-user-ns) is automatically created in the cluster when user perform a kubectl operation.

Screencast.from.01-04-23.07.21.58.PM.IST.webm

As per design, Paralus is creating role and rolebinding in the namespace based on user permissions.

$ kubectl get role,rolebinding -n ns-read-user-ns
NAME                                                                  CREATED AT
role.rbac.authorization.k8s.io/paralus-ns-role-read-ns-read-user-ns   2023-04-01T13:58:10Z

NAME                                                                                                               ROLE                                        AGE
rolebinding.rbac.authorization.k8s.io/paralus-ns-role-read-ns-read-user-ns-ns-45read-64paralus-46local-r-binding   Role/paralus-ns-role-read-ns-read-user-ns   6m15s

1. If user has write kubectl access (eg. kubectl.fullaccess, kubectl.namespace.write, kubectl.cluster.write) to the cluster then is it fair action that user manually create a namespace s/he has access to?
2. If ns does not exist then no role and rolebinding are created. If user perform operation on granted namespace, they might get "forbidden" error. I think Paralus should detect no namespace available and inform user likewise. So that user can ask admin to create missing namespace. Is this the expected behavior?