Skip to content

Container Assist Improvement: AKS namespace fetch RBAC error should be handled gracefully in wizard flow #1975

New issue
New issue
Open
Open
Container Assist Improvement: AKS namespace fetch RBAC error should be handled gracefully in wizard flow#1975
Assignees
Tatsinnitbosesuneha
Labels
enhancement 🚀New feature or request or improvements on existing code.triage
@Tatsinnit

Description

@Tatsinnit
Tatsinnit
opened on Mar 10, 2026

Summary

When the extension cannot list namespaces due to RBAC permissions, the wizard currently surfaces a raw kubectl forbidden error and blocks progress.
This should be handled more gracefully so users are not forced to go deeper into the wizard just to discover they lack namespace-list permissions.

Current behavior

During wizard flow, namespace retrieval fails with:

Failed to retrieve namespaces from cluster: The command "kubectl get namespace -o json" returned status code 1 Error: Error from server (Forbidden): namespaces is forbidden: User "xxx@microsoft.com" cannot list resource "namespaces" in API group "" at the cluster scope: User does not have access to the resource in Azure. Update role assignment to allow access.

Expected behavior

If namespace listing fails with Forbidden:

  1. Show a concise, user-friendly message.
  2. Explain that this is likely an RBAC permission issue.
  3. Offer actionable next steps (for example: required role/permission, link/button to docs).
  4. Allow fallback behavior instead of hard-blocking the wizard (for example: manual namespace entry, skip namespace step, or continue with default options where safe).
  5. Avoid exposing the full raw kubectl error by default (optionally available under “Details”).

Why this matters

Users with limited RBAC are common in enterprise environments.
A graceful experience would reduce confusion and prevent unnecessary failure in guided flows.

Repro steps

  1. Use an AKS cluster where the signed-in user does not have permission to list namespaces at cluster scope.
  2. Start the related wizard flow in the extension that requires namespace retrieval.
  3. Observe the failure toast/error and blocked progression.

Possible/Suggested acceptance criteria

  1. Forbidden namespace-list errors are detected and mapped to a friendly UX message.
  2. Wizard presents at least one non-blocking fallback path.
  3. Raw error text is hidden behind an optional details affordance.
  4. Telemetry includes a distinct error reason for RBAC namespace-list denial.
Image

Metadata

Metadata

Assignees

Labels

enhancement 🚀New feature or request or improvements on existing code.triage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions