privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix: drop :80 port suffix from service proxy URL for RBAC compatibility

Browse Source 
When the proxy URL includes `:80`, Kubernetes checks the RBAC
resourceName as `polaris-dashboard:80` which doesn't match the
Role's resourceNames `["polaris-dashboard"]`. Dropping the port
suffix uses the service's default port and matches the RBAC correctly.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Chris Farhood
2026-02-07 19:10:55 -05:00
parent 1421a159dd
commit 39d85a3596
3 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+2 -2
View File
@@ -13,7 +13,7 @@ Adds a **Polaris** top-level sidebar section to Headlamp with the following view
- **Namespace detail** -- per-namespace score, check counts, and a resource table showing pass/warning/danger per workload - **Namespace detail** -- per-namespace score, check counts, and a resource table showing pass/warning/danger per workload
- **External link** -- quick jump to the native Polaris dashboard via the Kubernetes service proxy (from namespace detail view) - **External link** -- quick jump to the native Polaris dashboard via the Kubernetes service proxy (from namespace detail view)
Data is fetched from the Polaris dashboard API through the Kubernetes service proxy (`/api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json`). The plugin is read-only -- it never writes to the cluster. Data is fetched from the Polaris dashboard API through the Kubernetes service proxy (`/api/v1/namespaces/polaris/services/polaris-dashboard/proxy/results.json`). The plugin is read-only -- it never writes to the cluster.
Results are refreshed on a user-configurable interval (1 / 5 / 10 / 30 minutes, default 5). The setting is available in **Settings > Plugins > Polaris** and persists in the browser's localStorage. Results are refreshed on a user-configurable interval (1 / 5 / 10 / 30 minutes, default 5). The setting is available in **Settings > Plugins > Polaris** and persists in the browser's localStorage.
@@ -204,7 +204,7 @@ vitest.config.mts -- Vitest configuration (jsdom environment
The plugin fetches live audit results from the Polaris dashboard HTTP API via the Kubernetes service proxy: The plugin fetches live audit results from the Polaris dashboard HTTP API via the Kubernetes service proxy:
``` ```
GET /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json GET /api/v1/namespaces/polaris/services/polaris-dashboard/proxy/results.json
``` ```
This endpoint is served by the `polaris-dashboard` ClusterIP service, which is created by the Polaris Helm chart when `dashboard.enabled: true`. The JSON response matches Polaris's `AuditData` schema (`pkg/validator/output.go`): This endpoint is served by the `polaris-dashboard` ClusterIP service, which is created by the Polaris Helm chart when `dashboard.enabled: true`. The JSON response matches Polaris's `AuditData` schema (`pkg/validator/output.go`):
claude.md
+2 -2
View File
@@ -4,7 +4,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
## Project Overview ## Project Overview
Headlamp plugin that surfaces Fairwinds Polaris audit results inside the Headlamp UI. Queries the Polaris dashboard API via the Kubernetes service proxy (`/api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json`). Target Headlamp ≥ v0.26. Headlamp plugin that surfaces Fairwinds Polaris audit results inside the Headlamp UI. Queries the Polaris dashboard API via the Kubernetes service proxy (`/api/v1/namespaces/polaris/services/polaris-dashboard/proxy/results.json`). Target Headlamp ≥ v0.26.
## Build & Development Commands ## Build & Development Commands
@@ -50,7 +50,7 @@ Top-level sidebar section at `/polaris` with sub-routes for namespaces list (`/p
## Security / RBAC Requirements ## Security / RBAC Requirements
The plugin reaches Polaris through the Kubernetes API server's service proxy sub-resource (`/api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/...`). The Headlamp service account (or the user's bearer token when Headlamp runs in token-auth mode) must be granted: The plugin reaches Polaris through the Kubernetes API server's service proxy sub-resource (`/api/v1/namespaces/polaris/services/polaris-dashboard/proxy/...`). The Headlamp service account (or the user's bearer token when Headlamp runs in token-auth mode) must be granted:
| Verb | API Group | Resource | Resource Name | Namespace | | Verb | API Group | Resource | Resource Name | Namespace |
|------|-----------|----------|---------------|-----------| |------|-----------|----------|---------------|-----------|
src/api/polaris.ts
+2 -2
View File
@@ -146,7 +146,7 @@ export function setRefreshInterval(seconds: number): void {
// --- Polaris dashboard proxy URL --- // --- Polaris dashboard proxy URL ---
export const POLARIS_DASHBOARD_PROXY = export const POLARIS_DASHBOARD_PROXY =
'/api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/'; '/api/v1/namespaces/polaris/services/polaris-dashboard/proxy/';
// --- Score computation --- // --- Score computation ---
@@ -158,7 +158,7 @@ export function computeScore(counts: ResultCounts): number {
// --- Data fetching hook --- // --- Data fetching hook ---
const POLARIS_API_PATH = const POLARIS_API_PATH =
'/api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json'; '/api/v1/namespaces/polaris/services/polaris-dashboard/proxy/results.json';
interface PolarisDataState { interface PolarisDataState {
data: AuditData | null; data: AuditData | null;