refactor(k8s): update based on feedback

api/http/handler/kubernetes/handler.go

@@ -9,7 +9,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/middlewares"
-	"github.com/portainer/portainer/api/http/rbacutils"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/kubernetes"
@@ -166,11 +165,16 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			Str("user", user.Username).
 			Msg("Creating a Kubernetes client")
 
-		isKubeAdmin, nonAdminNamespaces, err := rbacutils.IsAdmin(user, endpoint, handler.DataStore, handler.KubernetesClientFactory)
+		isKubeAdmin := true
+		nonAdminNamespaces := []string{}
+		if user.Role != portainer.AdministratorRole {
+			nonAdminNamespaces, err = cli.GetNonAdminNamespaces(int(user.ID), endpoint, handler.KubernetesClientFactory)
 			if err != nil {
-			httperror.InternalServerError("an error occurred during the kubeClientMiddleware operation, unable to check if user is an admin and retrieve non-admin namespaces. Error: ", err)
+				httperror.WriteError(w, http.StatusInternalServerError, "an error occurred during the IsAdmin operation, unable to retrieve non-admin namespaces. Error: ", err)
 				return
 			}
+			isKubeAdmin = false
+		}
 
 		bearerToken, err := handler.JwtService.GenerateTokenForKubeconfig(tokenData)
 		if err != nil {

api/http/rbacutils/rbac_utils.go

@@ -17,34 +17,14 @@ func IsAdmin(user *portainer.User, endpoint *portainer.Endpoint, dataStore datas
 		return false, nil, fmt.Errorf("an error occurred during the IsAdmin operation, user is nil. Unable to check if user is an admin")
 	}
 
-	if len(endpoint.UserAccessPolicies) > 0 {
+	// use constants
-		_, ok := endpoint.UserAccessPolicies[user.ID]
+	if user.Role != 1 {
-		if ok {
 		nonAdminNamespaces, err := cli.GetNonAdminNamespaces(int(user.ID), endpoint, clientFactory)
 		if err != nil {
 			return false, nil, fmt.Errorf("an error occurred during the IsAdmin operation, unable to retrieve non-admin namespaces. Error: %v", err)
 		}
 		return false, nonAdminNamespaces, nil
 	}
-	}
-
-	if len(endpoint.TeamAccessPolicies) > 0 {
-		teamMemberships, err := dataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
-		if err != nil {
-			return false, nil, fmt.Errorf("an error occurred during the IsAdmin operation, unable to retrieve user team memberships to fetch allowed namespace access. Error: %v", err)
-		}
-
-		for _, teamMembership := range teamMemberships {
-			_, ok := endpoint.TeamAccessPolicies[teamMembership.TeamID]
-			if ok {
-				nonAdminNamespaces, err := cli.GetNonAdminNamespaces(int(user.ID), endpoint, clientFactory)
-				if err != nil {
-					return false, nil, fmt.Errorf("an error occurred during the IsAdmin operation, unable to retrieve non-admin namespaces. Error: %v", err)
-				}
-				return false, nonAdminNamespaces, nil
-			}
-		}
-	}
 
 	return true, nil, nil
 }

api/kubernetes/cli/access.go

@@ -130,13 +130,15 @@ func GetNonAdminNamespaces(userID int, endpoint *portainer.Endpoint, clientFacto
 	}
 
 	nonAdminNamespaces := []string{}
+	if !endpoint.Kubernetes.Configuration.RestrictDefaultNamespace {
+		nonAdminNamespaces = append(nonAdminNamespaces, defaultNamespace)
+	}
+
 	for namespace, accessPolicy := range accessPolicies {
 		if hasUserAccessToNamespace(userID, nil, accessPolicy) {
-			if !(endpoint.Kubernetes.Configuration.RestrictDefaultNamespace && namespace == "default") {
 			nonAdminNamespaces = append(nonAdminNamespaces, namespace)
 		}
 	}
-	}
 
 	return nonAdminNamespaces, nil
 }