-query-k8s, -include-unqualified option(s) require RBAC permissions

[fred-vogt]

Specifically get,list are needed for pods, services in the default API group when using these options:

- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list"]

Consider adding this to the README.

kube apiserver logs:

Could not query pod "<pod>" in namespace "<namespace>": 
  pods "<pod>" is forbidden: 
  User "system:serviceaccount:kube-system:<name>" 
  cannot get resource "pods" in API group "" in the namespace "<namespace>"

[johngmyers]

The services-lister ClusterRole in kapprover is what we grant to allow use of these options. This does deserve to be documented.

[fred-vogt]

Make sense, given the library comes from that project. I can send over a PR that mentions creating an extra role binding.

But - given MutatingWebhook - admissionregistration/v1beta1 supports using a full URL in the clientConfig field, I think using -query-k8s + -include-unqualified isn't needed for most admission controller use cases after all.

KOPS specific

KOPS does have a configurable service default DNS suffix setting - so its safe to make assumptions about its value because it is user configurable from a manifest file / edit.

I'll test today with MutatingWebhook::webhook[*].url field and an FQDN.

Perhaps + url and -query-k8s is the best combo. (no -include-unqualified).