make login, project, and discovery work against kube with RBAC enabled

pkg/cmd/cli/cmd/login/helpers.go

@@ -130,7 +130,7 @@ func whoAmI(clientConfig *restclient.Config) (*api.User, error) {
 	me, err := client.Users().Get("~")
 
 	// if we're talking to kube (or likely talking to kube),
-	if kerrors.IsNotFound(err) {
+	if kerrors.IsNotFound(err) || kerrors.IsForbidden(err) {
 		switch {
 		case len(clientConfig.BearerToken) > 0:
 			// the user has already been willing to provide the token on the CLI, so they probably

pkg/cmd/cli/cmd/login/loginoptions.go

@@ -262,7 +262,7 @@ func (o *LoginOptions) gatherProjectInfo() error {
 
 	projectsList, err := oClient.Projects().List(kapi.ListOptions{})
 	// if we're running on kube (or likely kube), just set it to "default"
-	if kerrors.IsNotFound(err) {
+	if kerrors.IsNotFound(err) || kerrors.IsForbidden(err) {
 		fmt.Fprintf(o.Out, "Using \"default\".  You can switch projects with '%s project <projectname>':\n\n", o.CommandName)
 		o.Project = "default"
 		return nil

pkg/cmd/cli/cmd/project.go

@@ -279,11 +279,11 @@ func (o ProjectOptions) RunProject() error {
 
 func confirmProjectAccess(currentProject string, oClient *client.Client, kClient kclient.Interface) error {
 	_, projectErr := oClient.Projects().Get(currentProject)
-	if !kapierrors.IsNotFound(projectErr) {
+	if !kapierrors.IsNotFound(projectErr) && !kapierrors.IsForbidden(projectErr) {
 		return projectErr
 	}
 
-	// at this point we know the error is a not found, but we'll test namespaces just in case we're running on kube
+	// at this point we know the error is a not found or forbidden, but we'll test namespaces just in case we're running on kube
 	if _, err := kClient.Namespaces().Get(currentProject); err == nil {
 		return nil
 	}
@@ -297,7 +297,8 @@ func getProjects(oClient *client.Client, kClient kclient.Interface) ([]api.Proje
 	if err == nil {
 		return projects.Items, nil
 	}
-	if err != nil && !kapierrors.IsNotFound(err) {
+	// if this is kube with authorization enabled, this endpoint will be forbidden.  OpenShift allows this for everyone.
+	if err != nil && !(kapierrors.IsNotFound(err) || kapierrors.IsForbidden(err)) {
 		return nil, err
 	}
 

pkg/cmd/cli/config/smart_merge.go

@@ -63,7 +63,7 @@ func getUserPartOfNickname(clientCfg *restclient.Config) (string, error) {
 		return "", err
 	}
 	userInfo, err := client.Users().Get("~")
-	if kerrors.IsNotFound(err) {
+	if kerrors.IsNotFound(err) || kerrors.IsForbidden(err) {
 		// if we're talking to kube (or likely talking to kube), take a best guess consistent with login
 		switch {
 		case len(clientCfg.BearerToken) > 0:

pkg/cmd/util/clientcmd/negotiate.go

@@ -36,7 +36,7 @@ func negotiateVersion(client *kclient.Client, config *restclient.Config, request
 	// Get server versions
 	serverGVs, err := serverAPIVersions(client, "/oapi")
 	if err != nil {
-		if errors.IsNotFound(err) {
+		if errors.IsNotFound(err) || errors.IsForbidden(err) {
 			glog.V(4).Infof("Server path /oapi was not found, returning the requested group version %v", preferredGV)
 			return preferredGV, nil
 		}