privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

docs: fix remaining hardcoded headlamp namespace to <your-namespace> placeholder

Browse Source 
Prior commit was inconsistent — some files used <your-namespace> while
DEPLOYMENT.md, TROUBLESHOOTING.md and several troubleshooting/user-guide
docs still hardcoded headlamp as the namespace.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-05-10 21:33:37 +00:00
committed by Countess von Containerheim [agent]
parent 207711567c
commit 0776319435
10 changed files with 31 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deployment/e2e-ci-runner-rbac.yaml
+1 -1
View File
@@ -71,4 +71,4 @@ subjects:
roleRef:
kind: Role
name: e2e-ci-runner
apiGroup: rbac.authorization.k8s.io
apiGroup: rbac.authorization.k8s.io
docs/DEPLOYMENT.md
+2 -2
View File
@@ -33,7 +33,7 @@ kubectl -n polaris get svc polaris-dashboard
kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion
# Verify Headlamp is deployed
kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
kubectl -n <your-namespace> get pods -l app.kubernetes.io/name=headlamp
```
## Installation Methods
@@ -59,7 +59,7 @@ kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
```bash
helm upgrade --install headlamp headlamp/headlamp \
--namespace headlamp \
--namespace <your-namespace> \
--values headlamp-values.yaml
```
docs/TROUBLESHOOTING.md
+15 -15
View File
@@ -33,7 +33,7 @@ This guide covers common issues encountered when using the Headlamp Polaris Plug
```bash
# View Headlamp pod logs (plugin sidecar)
kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
kubectl logs -n <your-namespace> deployment/headlamp -c headlamp-plugin
# Expected output:
# Installing plugin from https://github.com/.../headlamp-polaris-plugin-X.Y.Z.tar.gz
@@ -43,7 +43,7 @@ kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
**Verify plugin files exist**:
```bash
kubectl exec -n headlamp deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
kubectl exec -n <your-namespace> deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
# Should show: headlamp-polaris-plugin/
```
@@ -118,7 +118,7 @@ Expected subjects:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: <your-namespace>
```
For OIDC mode:
@@ -154,7 +154,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: <your-namespace>
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -169,7 +169,7 @@ Service account mode:
```bash
# Impersonate Headlamp service account
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:<your-namespace>:headlamp \
--resource-name=polaris-dashboard \
-n polaris
# Expected: yes
@@ -189,7 +189,7 @@ kubectl auth can-i get services/proxy \
After applying RBAC changes:
```bash
kubectl rollout restart deployment headlamp -n headlamp
kubectl rollout restart deployment headlamp -n <your-namespace>
```
---
@@ -490,7 +490,7 @@ Run this script to test all RBAC components:
#!/bin/bash
NS="polaris"
SA="headlamp"
SA_NS="headlamp"
SA_NS="<your-namespace>"
echo "=== Testing RBAC for Polaris Plugin ==="
@@ -530,7 +530,7 @@ Test connectivity from Headlamp to Polaris:
```bash
# Create debug pod in headlamp namespace
kubectl run netdebug -n headlamp --rm -it --image=nicolaka/netshoot -- bash
kubectl run netdebug -n <your-namespace> --rm -it --image=nicolaka/netshoot -- bash
# Inside pod, test DNS and HTTP
nslookup polaris-dashboard.polaris.svc.cluster.local
@@ -545,11 +545,11 @@ If you have audit logging enabled, check for denied requests:
```bash
# View recent audit logs (location varies by cluster)
kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
kubectl logs -n <your-namespace> kube-apiserver-* | grep polaris-dashboard
# Look for lines with:
# "reason": "Forbidden"
# "user": "system:serviceaccount:headlamp:headlamp"
# "user": "system:serviceaccount:<your-namespace>:headlamp"
```
---
@@ -567,7 +567,7 @@ kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
**Check sidecar logs**:
```bash
kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
kubectl logs -n <your-namespace> deployment/headlamp -c headlamp-plugin
```
**Common errors**:
@@ -591,7 +591,7 @@ Error: 404 Not Found
**Solution**: Verify `archive-url` in plugin config matches GitHub release:
```bash
kubectl get configmap headlamp-plugin-config -n headlamp -o yaml
kubectl get configmap headlamp-plugin-config -n <your-namespace> -o yaml
```
Expected format:
@@ -677,13 +677,13 @@ If none of these solutions work, gather debugging information and open an issue:
1. **Version Information**:
```bash
kubectl get pods -n headlamp -l app.kubernetes.io/name=headlamp -o yaml | grep image:
kubectl get pods -n <your-namespace> -l app.kubernetes.io/name=headlamp -o yaml | grep image:
```
2. **Plugin Version**:
- Check Settings → Plugins in Headlamp UI
- Or: `kubectl exec -n headlamp deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
- Or: `kubectl exec -n <your-namespace> deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
3. **Browser Console Output**:
@@ -698,7 +698,7 @@ If none of these solutions work, gather debugging information and open an issue:
5. **Pod Logs**:
```bash
kubectl logs -n headlamp deployment/headlamp -c headlamp --tail=100
kubectl logs -n <your-namespace> deployment/headlamp -c headlamp --tail=100
kubectl logs -n polaris deployment/polaris-dashboard --tail=100
```
docs/getting-started/prerequisites.md
+1 -1
View File
@@ -112,7 +112,7 @@ The plugin requires permissions to access the Polaris dashboard via Kubernetes s
```bash
# Test if Headlamp service account has permission
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:<your-namespace>:headlamp \
-n polaris \
--resource-name=polaris-dashboard
docs/getting-started/quick-start.md
+1 -1
View File
@@ -119,7 +119,7 @@ kubectl -n <your-namespace> exec -it deployment/headlamp -c headlamp -- \
# Verify RBAC is correct
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:<your-namespace>:headlamp \
-n polaris \
--resource-name=polaris-dashboard
docs/troubleshooting/README.md
+2 -2
View File
@@ -38,7 +38,7 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
# 3. Verify RBAC permissions
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:<your-namespace>:headlamp \
-n polaris \
--resource-name=polaris-dashboard
@@ -76,7 +76,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission (service account mode)
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:<your-namespace>:headlamp \
-n polaris \
--resource-name=polaris-dashboard
docs/troubleshooting/common-issues.md
+3 -3
View File
@@ -169,7 +169,7 @@ Service account mode:
```bash
# Impersonate Headlamp service account
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:<your-namespace>:headlamp \
--resource-name=polaris-dashboard \
-n polaris
# Expected: yes
@@ -490,7 +490,7 @@ Run this script to test all RBAC components:
#!/bin/bash
NS="polaris"
SA="headlamp"
SA_NS="headlamp"
SA_NS="<your-namespace>"
echo "=== Testing RBAC for Polaris Plugin ==="
@@ -549,7 +549,7 @@ kubectl logs -n <your-namespace> kube-apiserver-* | grep polaris-dashboard
# Look for lines with:
# "reason": "Forbidden"
# "user": "system:serviceaccount:headlamp:headlamp"
# "user": "system:serviceaccount:<your-namespace>:headlamp"
```
---
docs/troubleshooting/rbac-issues.md
+1 -1
View File
@@ -83,7 +83,7 @@ roleRef:
```bash
# Test service account (in-cluster mode)
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:<your-namespace>:headlamp \
-n polaris \
--resource-name=polaris-dashboard
docs/user-guide/configuration.md
+1 -1
View File
@@ -317,7 +317,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:<your-namespace>:headlamp \
-n polaris \
--resource-name=polaris-dashboard
```
docs/user-guide/rbac-permissions.md
+4 -4
View File
@@ -91,7 +91,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:<your-namespace>:headlamp \
-n polaris \
--resource-name=polaris-dashboard
@@ -109,7 +109,7 @@ In token-auth mode, **each user's own identity** is used for Kubernetes API requ
With service account mode:
- Single RoleBinding grants access to all Headlamp users
- Kubernetes sees all requests as `system:serviceaccount:headlamp:headlamp`
- Kubernetes sees all requests as `system:serviceaccount:<your-namespace>:headlamp`
With token-auth mode:
@@ -411,7 +411,7 @@ Every plugin data fetch creates a Kubernetes API audit log entry.
"level": "Metadata",
"verb": "get",
"user": {
"username": "system:serviceaccount:headlamp:headlamp"
"username": "system:serviceaccount:<your-namespace>:headlamp"
},
"sourceIPs": ["10.96.0.1"],
"objectRef": {
@@ -494,7 +494,7 @@ If using a log aggregator (e.g., Elasticsearch), create filters to exclude or do
```bash
# Service account mode
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:<your-namespace>:headlamp \
-n polaris \
--resource-name=polaris-dashboard