diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 675c309..069c5ee 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -71,4 +71,4 @@ subjects: roleRef: kind: Role name: e2e-ci-runner - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md index e74f98c..99a2570 100644 --- a/docs/DEPLOYMENT.md +++ b/docs/DEPLOYMENT.md @@ -33,7 +33,7 @@ kubectl -n polaris get svc polaris-dashboard kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion # Verify Headlamp is deployed -kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp +kubectl -n get pods -l app.kubernetes.io/name=headlamp ``` ## Installation Methods @@ -59,7 +59,7 @@ kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp ```bash helm upgrade --install headlamp headlamp/headlamp \ - --namespace headlamp \ + --namespace \ --values headlamp-values.yaml ``` diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index 5884651..e9499cc 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -33,7 +33,7 @@ This guide covers common issues encountered when using the Headlamp Polaris Plug ```bash # View Headlamp pod logs (plugin sidecar) -kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin +kubectl logs -n deployment/headlamp -c headlamp-plugin # Expected output: # Installing plugin from https://github.com/.../headlamp-polaris-plugin-X.Y.Z.tar.gz @@ -43,7 +43,7 @@ kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin **Verify plugin files exist**: ```bash -kubectl exec -n headlamp deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/ +kubectl exec -n deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/ # Should show: headlamp-polaris-plugin/ ``` @@ -118,7 +118,7 @@ Expected subjects: subjects: - kind: ServiceAccount name: headlamp - namespace: headlamp + namespace: ``` For OIDC mode: @@ -154,7 +154,7 @@ metadata: subjects: - kind: ServiceAccount name: headlamp - namespace: headlamp + namespace: roleRef: kind: Role name: polaris-proxy-reader @@ -169,7 +169,7 @@ Service account mode: ```bash # Impersonate Headlamp service account kubectl auth can-i get services/proxy \ - --as=system:serviceaccount:headlamp:headlamp \ + --as=system:serviceaccount::headlamp \ --resource-name=polaris-dashboard \ -n polaris # Expected: yes @@ -189,7 +189,7 @@ kubectl auth can-i get services/proxy \ After applying RBAC changes: ```bash -kubectl rollout restart deployment headlamp -n headlamp +kubectl rollout restart deployment headlamp -n ``` --- @@ -490,7 +490,7 @@ Run this script to test all RBAC components: #!/bin/bash NS="polaris" SA="headlamp" -SA_NS="headlamp" +SA_NS="" echo "=== Testing RBAC for Polaris Plugin ===" @@ -530,7 +530,7 @@ Test connectivity from Headlamp to Polaris: ```bash # Create debug pod in headlamp namespace -kubectl run netdebug -n headlamp --rm -it --image=nicolaka/netshoot -- bash +kubectl run netdebug -n --rm -it --image=nicolaka/netshoot -- bash # Inside pod, test DNS and HTTP nslookup polaris-dashboard.polaris.svc.cluster.local @@ -545,11 +545,11 @@ If you have audit logging enabled, check for denied requests: ```bash # View recent audit logs (location varies by cluster) -kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard +kubectl logs -n kube-apiserver-* | grep polaris-dashboard # Look for lines with: # "reason": "Forbidden" -# "user": "system:serviceaccount:headlamp:headlamp" +# "user": "system:serviceaccount::headlamp" ``` --- @@ -567,7 +567,7 @@ kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard **Check sidecar logs**: ```bash -kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin +kubectl logs -n deployment/headlamp -c headlamp-plugin ``` **Common errors**: @@ -591,7 +591,7 @@ Error: 404 Not Found **Solution**: Verify `archive-url` in plugin config matches GitHub release: ```bash -kubectl get configmap headlamp-plugin-config -n headlamp -o yaml +kubectl get configmap headlamp-plugin-config -n -o yaml ``` Expected format: @@ -677,13 +677,13 @@ If none of these solutions work, gather debugging information and open an issue: 1. **Version Information**: ```bash - kubectl get pods -n headlamp -l app.kubernetes.io/name=headlamp -o yaml | grep image: + kubectl get pods -n -l app.kubernetes.io/name=headlamp -o yaml | grep image: ``` 2. **Plugin Version**: - Check Settings → Plugins in Headlamp UI - - Or: `kubectl exec -n headlamp deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json` + - Or: `kubectl exec -n deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json` 3. **Browser Console Output**: @@ -698,7 +698,7 @@ If none of these solutions work, gather debugging information and open an issue: 5. **Pod Logs**: ```bash - kubectl logs -n headlamp deployment/headlamp -c headlamp --tail=100 + kubectl logs -n deployment/headlamp -c headlamp --tail=100 kubectl logs -n polaris deployment/polaris-dashboard --tail=100 ``` diff --git a/docs/getting-started/prerequisites.md b/docs/getting-started/prerequisites.md index 716edf9..9299156 100644 --- a/docs/getting-started/prerequisites.md +++ b/docs/getting-started/prerequisites.md @@ -112,7 +112,7 @@ The plugin requires permissions to access the Polaris dashboard via Kubernetes s ```bash # Test if Headlamp service account has permission kubectl auth can-i get services/proxy \ - --as=system:serviceaccount:headlamp:headlamp \ + --as=system:serviceaccount::headlamp \ -n polaris \ --resource-name=polaris-dashboard diff --git a/docs/getting-started/quick-start.md b/docs/getting-started/quick-start.md index fbe32fe..5835c07 100644 --- a/docs/getting-started/quick-start.md +++ b/docs/getting-started/quick-start.md @@ -119,7 +119,7 @@ kubectl -n exec -it deployment/headlamp -c headlamp -- \ # Verify RBAC is correct kubectl auth can-i get services/proxy \ - --as=system:serviceaccount:headlamp:headlamp \ + --as=system:serviceaccount::headlamp \ -n polaris \ --resource-name=polaris-dashboard diff --git a/docs/troubleshooting/README.md b/docs/troubleshooting/README.md index 56a2d18..538015c 100644 --- a/docs/troubleshooting/README.md +++ b/docs/troubleshooting/README.md @@ -38,7 +38,7 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy # 3. Verify RBAC permissions kubectl auth can-i get services/proxy \ - --as=system:serviceaccount:headlamp:headlamp \ + --as=system:serviceaccount::headlamp \ -n polaris \ --resource-name=polaris-dashboard @@ -76,7 +76,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy # Test permission (service account mode) kubectl auth can-i get services/proxy \ - --as=system:serviceaccount:headlamp:headlamp \ + --as=system:serviceaccount::headlamp \ -n polaris \ --resource-name=polaris-dashboard diff --git a/docs/troubleshooting/common-issues.md b/docs/troubleshooting/common-issues.md index 88de60e..6dd8336 100644 --- a/docs/troubleshooting/common-issues.md +++ b/docs/troubleshooting/common-issues.md @@ -169,7 +169,7 @@ Service account mode: ```bash # Impersonate Headlamp service account kubectl auth can-i get services/proxy \ - --as=system:serviceaccount:headlamp:headlamp \ + --as=system:serviceaccount::headlamp \ --resource-name=polaris-dashboard \ -n polaris # Expected: yes @@ -490,7 +490,7 @@ Run this script to test all RBAC components: #!/bin/bash NS="polaris" SA="headlamp" -SA_NS="headlamp" +SA_NS="" echo "=== Testing RBAC for Polaris Plugin ===" @@ -549,7 +549,7 @@ kubectl logs -n kube-apiserver-* | grep polaris-dashboard # Look for lines with: # "reason": "Forbidden" -# "user": "system:serviceaccount:headlamp:headlamp" +# "user": "system:serviceaccount::headlamp" ``` --- diff --git a/docs/troubleshooting/rbac-issues.md b/docs/troubleshooting/rbac-issues.md index cbf69c8..808c943 100644 --- a/docs/troubleshooting/rbac-issues.md +++ b/docs/troubleshooting/rbac-issues.md @@ -83,7 +83,7 @@ roleRef: ```bash # Test service account (in-cluster mode) kubectl auth can-i get services/proxy \ - --as=system:serviceaccount:headlamp:headlamp \ + --as=system:serviceaccount::headlamp \ -n polaris \ --resource-name=polaris-dashboard diff --git a/docs/user-guide/configuration.md b/docs/user-guide/configuration.md index 45174fa..829bcaf 100644 --- a/docs/user-guide/configuration.md +++ b/docs/user-guide/configuration.md @@ -317,7 +317,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy # Test permission kubectl auth can-i get services/proxy \ - --as=system:serviceaccount:headlamp:headlamp \ + --as=system:serviceaccount::headlamp \ -n polaris \ --resource-name=polaris-dashboard ``` diff --git a/docs/user-guide/rbac-permissions.md b/docs/user-guide/rbac-permissions.md index 41fb1f5..d3c2650 100644 --- a/docs/user-guide/rbac-permissions.md +++ b/docs/user-guide/rbac-permissions.md @@ -91,7 +91,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy # Test permission kubectl auth can-i get services/proxy \ - --as=system:serviceaccount:headlamp:headlamp \ + --as=system:serviceaccount::headlamp \ -n polaris \ --resource-name=polaris-dashboard @@ -109,7 +109,7 @@ In token-auth mode, **each user's own identity** is used for Kubernetes API requ With service account mode: - Single RoleBinding grants access to all Headlamp users -- Kubernetes sees all requests as `system:serviceaccount:headlamp:headlamp` +- Kubernetes sees all requests as `system:serviceaccount::headlamp` With token-auth mode: @@ -411,7 +411,7 @@ Every plugin data fetch creates a Kubernetes API audit log entry. "level": "Metadata", "verb": "get", "user": { - "username": "system:serviceaccount:headlamp:headlamp" + "username": "system:serviceaccount::headlamp" }, "sourceIPs": ["10.96.0.1"], "objectRef": { @@ -494,7 +494,7 @@ If using a log aggregator (e.g., Elasticsearch), create filters to exclude or do ```bash # Service account mode kubectl auth can-i get services/proxy \ - --as=system:serviceaccount:headlamp:headlamp \ + --as=system:serviceaccount::headlamp \ -n polaris \ --resource-name=polaris-dashboard