docs: standardize documentation structure (Phase 1)
Implement Phase 1 of documentation standardization plan: **New Documentation Structure:** - docs/README.md - Documentation hub with quick links - docs/getting-started/ - Installation, prerequisites, quick-start - docs/deployment/ - Kubernetes, Helm, production guides - docs/architecture/ - Overview, data-flow, design-decisions, ADR template - docs/troubleshooting/ - Quick diagnosis, common issues, RBAC, network - docs/development/ - Testing guide (moved from docs/TESTING.md) **Granular Breakdown:** - Split DEPLOYMENT.md → installation.md, kubernetes.md, helm.md, production.md - Split ARCHITECTURE.md → overview.md, data-flow.md, design-decisions.md - Split TROUBLESHOOTING.md → README.md, common-issues.md, rbac-issues.md, network-problems.md **New Content:** - Quick Start guide (5-minute setup) - Prerequisites checklist - Production deployment best practices - ADR template and index - Quick diagnosis table **Updated:** - README.md now links to new documentation structure - All documentation cross-referenced with relative links Implements standardization plan from docs/DOCUMENTATION_STANDARDIZATION_PLAN.md Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
This commit is contained in:
@@ -0,0 +1,104 @@
|
||||
# RBAC Issues
|
||||
|
||||
Troubleshooting RBAC permissions and 403 errors for the Headlamp Polaris Plugin.
|
||||
|
||||
## Overview
|
||||
|
||||
The plugin requires `get` permission on `services/proxy` resource for the `polaris-dashboard` service in the `polaris` namespace. Without this permission, you'll see 403 Forbidden errors.
|
||||
|
||||
## Common Scenarios
|
||||
|
||||
### 403 Forbidden Error
|
||||
|
||||
**Symptom:** Error loading Polaris data, "Access denied (403)" in UI
|
||||
|
||||
**Cause:** Missing or incorrect RBAC binding
|
||||
|
||||
**Solution:**
|
||||
|
||||
```bash
|
||||
# 1. Verify RBAC resources exist
|
||||
kubectl -n polaris get role polaris-proxy-reader
|
||||
kubectl -n polaris get rolebinding headlamp-polaris-proxy
|
||||
|
||||
# If missing, apply RBAC:
|
||||
kubectl apply -f - <<EOF
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: polaris-proxy-reader
|
||||
namespace: polaris
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services/proxy"]
|
||||
resourceNames: ["polaris-dashboard"]
|
||||
verbs: ["get"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: headlamp-polaris-proxy
|
||||
namespace: polaris
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: headlamp
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: polaris-proxy-reader
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
EOF
|
||||
```
|
||||
|
||||
### Token-Auth Mode
|
||||
|
||||
**Symptom:** 403 error when using Headlamp with user-supplied tokens
|
||||
|
||||
**Cause:** User's own identity lacks the RoleBinding
|
||||
|
||||
**Solution:**
|
||||
|
||||
Bind the Role to authenticated users or specific users/groups:
|
||||
|
||||
```yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: users-polaris-proxy
|
||||
namespace: polaris
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: system:authenticated # All authenticated users
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: polaris-proxy-reader
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
```
|
||||
|
||||
### Testing Permissions
|
||||
|
||||
```bash
|
||||
# Test service account (in-cluster mode)
|
||||
kubectl auth can-i get services/proxy \
|
||||
--as=system:serviceaccount:kube-system:headlamp \
|
||||
-n polaris \
|
||||
--resource-name=polaris-dashboard
|
||||
|
||||
# Test user (token-auth mode)
|
||||
kubectl auth can-i get services/proxy \
|
||||
--as=user@example.com \
|
||||
-n polaris \
|
||||
--resource-name=polaris-dashboard
|
||||
|
||||
# Expected output: yes
|
||||
```
|
||||
|
||||
For detailed RBAC configuration, see [RBAC Permissions](../user-guide/rbac-permissions.md).
|
||||
|
||||
## References
|
||||
|
||||
- [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
|
||||
- [Service Proxy RBAC](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-services/)
|
||||
Reference in New Issue
Block a user