refactor(k8s): update based on feedback

api/http/handler/kubernetes/handler.go

@@ -9,7 +9,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/middlewares"
-	"github.com/portainer/portainer/api/http/rbacutils"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/kubernetes"
@@ -166,10 +165,15 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			Str("user", user.Username).
 			Msg("Creating a Kubernetes client")
 
-		isKubeAdmin, nonAdminNamespaces, err := rbacutils.IsAdmin(user, endpoint, handler.DataStore, handler.KubernetesClientFactory)
+		isKubeAdmin := true
-		if err != nil {
+		nonAdminNamespaces := []string{}
-			httperror.InternalServerError("an error occurred during the kubeClientMiddleware operation, unable to check if user is an admin and retrieve non-admin namespaces. Error: ", err)
+		if user.Role != portainer.AdministratorRole {
-			return
+			nonAdminNamespaces, err = cli.GetNonAdminNamespaces(int(user.ID), endpoint, handler.KubernetesClientFactory)
+			if err != nil {
+				httperror.WriteError(w, http.StatusInternalServerError, "an error occurred during the IsAdmin operation, unable to retrieve non-admin namespaces. Error: ", err)
+				return
+			}
+			isKubeAdmin = false
 		}
 
 		bearerToken, err := handler.JwtService.GenerateTokenForKubeconfig(tokenData)

api/http/rbacutils/rbac_utils.go

@@ -17,33 +17,13 @@ func IsAdmin(user *portainer.User, endpoint *portainer.Endpoint, dataStore datas
 		return false, nil, fmt.Errorf("an error occurred during the IsAdmin operation, user is nil. Unable to check if user is an admin")
 	}
 
-	if len(endpoint.UserAccessPolicies) > 0 {
+	// use constants
-		_, ok := endpoint.UserAccessPolicies[user.ID]
+	if user.Role != 1 {
-		if ok {
+		nonAdminNamespaces, err := cli.GetNonAdminNamespaces(int(user.ID), endpoint, clientFactory)
-			nonAdminNamespaces, err := cli.GetNonAdminNamespaces(int(user.ID), endpoint, clientFactory)
-			if err != nil {
-				return false, nil, fmt.Errorf("an error occurred during the IsAdmin operation, unable to retrieve non-admin namespaces. Error: %v", err)
-			}
-			return false, nonAdminNamespaces, nil
-		}
-	}
-
-	if len(endpoint.TeamAccessPolicies) > 0 {
-		teamMemberships, err := dataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
 		if err != nil {
-			return false, nil, fmt.Errorf("an error occurred during the IsAdmin operation, unable to retrieve user team memberships to fetch allowed namespace access. Error: %v", err)
+			return false, nil, fmt.Errorf("an error occurred during the IsAdmin operation, unable to retrieve non-admin namespaces. Error: %v", err)
-		}
-
-		for _, teamMembership := range teamMemberships {
-			_, ok := endpoint.TeamAccessPolicies[teamMembership.TeamID]
-			if ok {
-				nonAdminNamespaces, err := cli.GetNonAdminNamespaces(int(user.ID), endpoint, clientFactory)
-				if err != nil {
-					return false, nil, fmt.Errorf("an error occurred during the IsAdmin operation, unable to retrieve non-admin namespaces. Error: %v", err)
-				}
-				return false, nonAdminNamespaces, nil
-			}
 		}
+		return false, nonAdminNamespaces, nil
 	}
 
 	return true, nil, nil

api/kubernetes/cli/access.go

@@ -130,11 +130,13 @@ func GetNonAdminNamespaces(userID int, endpoint *portainer.Endpoint, clientFacto
 	}
 
 	nonAdminNamespaces := []string{}
+	if !endpoint.Kubernetes.Configuration.RestrictDefaultNamespace {
+		nonAdminNamespaces = append(nonAdminNamespaces, defaultNamespace)
+	}
+
 	for namespace, accessPolicy := range accessPolicies {
 		if hasUserAccessToNamespace(userID, nil, accessPolicy) {
-			if !(endpoint.Kubernetes.Configuration.RestrictDefaultNamespace && namespace == "default") {
+			nonAdminNamespaces = append(nonAdminNamespaces, namespace)
-				nonAdminNamespaces = append(nonAdminNamespaces, namespace)
-			}
 		}
 	}