Add a flag to bypass can-i permission checks #3486
Description
Is your feature request related to a problem? Please describe.
We are running a applications in a serverless platform based on Kubernetes where end-users can interact with their workloads using standard kubectl. These users are restricted to namespace-scoped permissions and do not have access to create selfsubjectaccessreviews.
As a result, k9s fails to function for these users because all can-i permission checks fail, and no views are loaded beyond the initial context screen. While users do have full permissions on namespace-scoped resources like pods, services, secrets, configmaps, ... , k9s does not allow them to interact with any of them due to the lack of SAR permissions.
Describe the solution you'd like
Introduce a CLI flag --disable-self-subject-access-review. When enabled, this flag would:
- Skip can-i permission checks entirely in the internal k8s client.
- With this change all views are accessible and attempt to render them.
- Allow users to work with the resources they are actually authorized for, even if k9s cannot validate permissions ahead of time.
This would be extremely useful in controlled multi-tenant environments or platforms with strict RBAC where SAR usage is not feasible.
Additional context
I already have a working implementation of this feature in my fork. I’d be happy to contribute it via PR if there is interest from the maintainers.
Let me know if this sounds acceptable or if there's a preferred alternative approach.
Thanks for this great tool!