I sent up a 4 node cluster (1 master 3 workers) running Kubernetes on Ubuntu. I turned on --authorization-mode=ABAC and set up a policy file with an entry like the following

{"user":"bob", "readonly": true, "namespace": "projectgino"}

I want user bob to only be able to look at resources in projectgino. I'm having problems using kubectl command line as user Bob. When I run the following command

kubectl get pods --token=xxx --namespace=projectgino --server=https://xxx.xxx.xxx.xx:6443

I get the following error

error: couldn't read version from server: the server does not allow access to the requested resource

I traced the kubectl command line code and the problem seems to caused by kubectl calling function NegotiateVersion in pkg/client/helper.go. This makes a call to /api on the server to get the version of Kubernetes. This call fails because the rest path doesn't contain namespace projectgino. I added trace code to pkg/auth/authorizer/abac/abac.go and it fails on the namespace check.

I haven't moved up the the latest 1.1.1 version of Kubernetes yet, but looking at the code I didn't see anything that has changed in this area.

Does anybody know how to configure Kubernetes to get around the problem?