Round 19 fix: surface transient configmap read failures

_read_perm_configmap_resources now uses run_command_with_code and
raises on non-NotFound failures (network blip, RBAC denied, kubectl
throttled, etc.) instead of silently treating them as 'configmap is
empty'.

The revoke path previously saw an empty current_resources on a
transient failure, computed remaining_resources = [], and then
_write_perm_configmap_resources deleted the configmap and skipped
the create branch — silently wiping every grant. Update has the
same pattern but always writes the new permission file's resources,
so a transient read failure there only dropped old entries.

Author: anniegracehu

provider-kubeconfig.py

@@ -95,7 +95,11 @@ def _parse_permission_rules(self, perms):
         def _read_perm_configmap_resources(self, sa, namespace, kubeconfig):
                 cfg_map_name = sa + "-perms"
                 cfg_map_filename = sa + "-perms.txt"
-                out, _ = run_command("kubectl get configmap " + cfg_map_name + " -o json -n " + namespace + kubeconfig)
+                out, err, rc = run_command_with_code(
+                    "kubectl get configmap " + cfg_map_name + " -o json -n " + namespace + kubeconfig
+                )
+                if rc != 0 and "(NotFound)" not in err:
+                    raise RuntimeError(f"Failed to read configmap {cfg_map_name!r}: {err.strip()}")
                 kubeplus_perms = []
                 if out:
                     json_op = json.loads(out)