Compare commits

..

21 Commits

Author SHA1 Message Date
Chris Farhood 63f2b1ae56 Reference shared infra RBAC in deployment scripts 2026-05-06 12:41:29 +00:00
Chris Farhood 74110f1704 fix: correct RBAC manifest per QA review (PRI-555)
- Remove rbac.authorization.k8s.io privilege escalation block
- Fix orphaned comment from round 1
- Add EOF newline
- Keep serviceaccounts/token for E2E auth (confirmed needed)
- Namespace already correct (privilegedescalation-dev)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-06 12:37:36 +00:00
Chris Farhood 2666042318 docs: update Headlamp install namespace references from kube-system to headlamp
Updates all documentation references to the Headlamp install namespace
from kube-system to headlamp as part of PRI-433.

In-scope files updated:
- README.md, SECURITY.md
- docs/getting-started/installation.md, quick-start.md, prerequisites.md
- docs/deployment/helm.md, kubernetes.md, production.md
- docs/troubleshooting/README.md, common-issues.md, rbac-issues.md
- docs/user-guide/configuration.md, rbac-permissions.md
- docs/TESTING.md, TROUBLESHOOTING.md, DEPLOYMENT.md

Out-of-scope (unchanged):
- Source files referencing upstream workload namespace
- RBAC manifests describing Polaris namespace (polaris ns is unchanged)
- NetworkPolicy namespaceSelector (API server runs in kube-system)
- design-decisions.md and ARCHITECTURE.md (URL hashes refer to cluster namespaces, not Headlamp install ns)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-06 12:37:36 +00:00
privilegedescalation-engineer[bot] 7a0c068a93 fix: override elliptic for GHSA-848j-6mx2-7j84
* fix: add elliptic override for GHSA-848j-6mx2-7j84

Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).

Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic

Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* chore: regenerate pnpm-lock.yaml with elliptic override

---------

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-06 02:14:10 +00:00
privilegedescalation-engineer[bot] 2d629809a2 fix: add markdownlint config for headlamp-polaris-plugin (#141)
Co-authored-by: Chris Farhood <chris@farhood.org>
2026-05-06 00:43:48 +00:00
privilegedescalation-engineer[bot] 3fe787a550 Fix E2E kubeconfig: locate kubeconfig before RBAC step (#144)
All pipeline gates satisfied: CI ✓, E2E ✓, UAT (Patty/PRI-792) ✓, QA (Regina/PRI-786) ✓, CTO (Nancy) ✓. Resolves PRI-785 and PRI-324.
2026-05-05 21:25:54 +00:00
privilegedescalation-engineer[bot] aa1db9215a fix: patch high-severity vulnerabilities in picomatch and vite (#128)
* chore: replace Dependabot references with Renovate

- SECURITY.md: update to mention Renovate (org-wide Mend Renovate)
- PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config)

Closes PRI-389. Parent PRI-387.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities

Resolves 3 high-severity vulnerabilities from pnpm audit:
- GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4)
- GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket
- GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling

Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection).

Remaining vulnerabilities (moderate/low) are in transitive dependencies
managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config
which require upstream updates to those packages.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-04 11:01:53 +00:00
privilegedescalation-engineer[bot] 202ce66c61 fix(e2e): migrate E2E namespace from privilegedescalation-dev to headlamp-dev (#130)
The E2E workflow and deploy scripts were targeting the legacy
privilegedescalation-dev namespace, which is not managed by Flux GitOps
in privilegedescalation/infra.

The infra repo (PR #11) already provisions the headlamp-dev namespace
and corresponding RBAC (e2e-ci-runner-headlamp-rbac.yaml) that grants
the ARC runner SA (runners-privilegedescalation-gha-rs-no-permission in
arc-runners) the permissions needed to deploy/teardown the E2E
Headlamp instance.

This change aligns all E2E infrastructure to use headlamp-dev:
- .github/workflows/e2e.yaml: E2E_NAMESPACE=headlamp-dev
- scripts/deploy-e2e-headlamp.sh: default namespace and comments
- scripts/teardown-e2e-headlamp.sh: default namespace
- deployment/e2e-ci-runner-rbac.yaml: namespace and add missing events
  permission (already present in infra copy)

Refs: PRI-423

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-04 10:50:27 +00:00
privilegedescalation-engineer[bot] 58c9597388 fix: override lodash >=4.18.0 to patch code injection vulnerability (#120)
* fix: override lodash >=4.18.0 to patch code injection vulnerability

GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix: update pnpm-lock.yaml to satisfy lodash override

The package.json pnpm.overrides requires lodash >=4.18.0, but the lockfile
had an older version. Regenerated lockfile with pnpm install.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(e2e): scope heading locators to main content area

Fix E2E test failures by scoping heading locators to the main
content area instead of searching the entire page. This prevents
matching headings in the sidebar or other non-content areas.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(e2e): scope remaining getByText to main element

The 'Cluster Score' text matcher was still searching the entire page
instead of being scoped to the main content area. This could cause
false positives if the same text appears in the sidebar.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* ci: trigger fresh E2E run

Re-pushing to trigger a new CI run since the last E2E was cancelled.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(e2e): use [role=main] instead of main element

Switch from 'main' element selector to '[role="main"]' attribute
selector for better compatibility with Headlamp's app structure.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(e2e): hybrid approach - unscoped headings, main-scoped text

Use broader heading selectors matching intel-gpu pattern, but
keep text checks scoped to main element to avoid sidebar conflicts.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* ci: re-test original code to verify baseline

---------

Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-03 17:43:58 +00:00
privilegedescalation-engineer[bot] dff1265435 fix: pass pr_number to dual-approval-check workflow (#119)
Companion PR to privilegedescalation/.github#81

Co-authored-by: Hugh Hackman <hugh@paperclip.ing>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-04-15 03:33:19 +00:00
privilegedescalation-ceo[bot] 7c58826668 Merge pull request #117 from privilegedescalation/ci/e2e-deploy-diagnostics
ci(e2e): add deployment diagnostics step on failure
2026-03-24 22:26:32 +00:00
privilegedescalation-engineer[bot] 4edc829b3f ci(e2e): add deployment diagnostics step on failure
When the E2E deploy step fails (rollout timeout, pod not ready, etc.),
previously required manual cluster investigation to diagnose the root
cause. This heartbeat had to grep CI logs and query kubectl separately
to determine a :latest image drift issue.

The new step captures pod state, pod describe output, and recent namespace
events immediately when a failure occurs — surfacing the root cause
directly in the CI run log.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-24 21:57:58 +00:00
privilegedescalation-ceo[bot] 8f10be39bd Merge pull request #116 from privilegedescalation/fix/pin-headlamp-version-e2e
fix(e2e): pin Headlamp image to v0.40.1 instead of :latest
2026-03-24 21:42:51 +00:00
privilegedescalation-engineer[bot] 27212a91e1 fix(e2e): pin Headlamp image to v0.40.1 instead of :latest
The :latest tag caused E2E flakiness when a newer Headlamp image was
pulled on some cluster nodes (IfNotPresent policy) but not others.
Concurrent E2E runs on main saw different image versions, and the newest
:latest (sha256:89c6c65) failed to pass the readiness probe within 120s.

Pin to v0.40.1 — the same version running in production (kube-system) —
so all nodes use the same cached digest and CI is deterministic. Update
this pin when Headlamp is upgraded in production.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-24 21:28:38 +00:00
privilegedescalation-ceo[bot] 7b72306133 Merge pull request #109 from privilegedescalation/feat/renovate-extend-org-config
feat: extend Renovate config from org-level preset
2026-03-24 18:45:58 +00:00
privilegedescalation-ceo[bot] e16e6255d0 Merge pull request #110 from privilegedescalation/ci/e2e-concurrency-guard
ci: add concurrency guard to E2E workflow
2026-03-24 18:45:55 +00:00
privilegedescalation-ceo[bot] 4beb0c4d0e Merge pull request #113 from privilegedescalation/fix/e2e-clean-deploy
fix(e2e): clean-delete existing deployment before redeploy for guaranteed fresh pod
2026-03-24 18:45:52 +00:00
Gandalf the Greybeard 175d3ec6a2 fix(e2e): clean-delete existing deployment before redeploy for guaranteed fresh pod
kubectl apply without prior deletion patches in place: if the pod spec is
unchanged between runs, no rollout is triggered and a potentially degraded
pod from a prior run keeps serving. This caused the auth.setup.ts timeout
(waiting for the "use a token" button) even when no concurrent runs were
present — the headlamp-e2e pod was in an inconsistent state from a previous
run that didn't tear down cleanly.

Changes:
- deploy-e2e-headlamp.sh: delete Deployment, Service, and ServiceAccount
  (with --wait) before applying, guaranteeing a fresh pod each run
- auth.setup.ts: add explicit waitFor({ state: 'visible', timeout: 15_000 })
  before the "use a token" button click, so failures surface at 15 s with a
  clear locator error rather than silently timing out at 60 s

Fixes the pre-existing infra issue blocking PR#110.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-24 16:40:30 +00:00
privilegedescalation-engineer[bot] e63cd03267 fix(e2e): use cancel-in-progress: false to prevent dangling cluster resources
cancel-in-progress: true would cancel in-flight E2E runs when a new one
arrives. GitHub Actions does not guarantee that if: always() steps run on
cancelled jobs, so teardown-e2e-headlamp.sh may be skipped — leaving the
headlamp-e2e Deployment/Service/ConfigMap dangling in privilegedescalation-dev.

Switching to false (queue) ensures the running job always completes its
teardown before the next run starts.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-24 16:34:36 +00:00
privilegedescalation-engineer[bot] 4d878c8737 ci: add concurrency guard to E2E workflow
Prevents parallel E2E runs from conflicting over the shared
headlamp-e2e Helm release in privilegedescalation-dev. With
cancel-in-progress: true, a new push cancels any in-progress
run on the same repo — only one E2E suite runs at a time.

Observed failure: PR#109 and PR#108 ran concurrently and the
auth setup in PR#109 timed out, likely due to resource contention
on the shared headlamp-e2e instance.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-24 16:27:52 +00:00
Hugh Hackman 490807cef6 feat: extend Renovate config from org-level preset
Replaces the duplicated Renovate config with a simple extend from the
org-level preset (privilegedescalation/.github:renovate-config). All
rules (schedule, pinDigests, npm/github-actions minor+patch+major groups)
are now inherited from the org config, which was updated in PR #66 to add
major-version update rules for GitHub Actions.

This eliminates config drift between repos and reduces maintenance toil —
future rule changes only need to be made in one place.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-24 16:16:15 +00:00
30 changed files with 995 additions and 324 deletions
+2
View File
@@ -16,3 +16,5 @@ jobs:
dual-approval: dual-approval:
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
secrets: inherit secrets: inherit
with:
pr_number: ${{ github.event.pull_request.number }}
+118 -7
View File
@@ -10,19 +10,22 @@ on:
permissions: permissions:
contents: read contents: read
# Serialize E2E runs repo-wide. All concurrent runs share the same # Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
# E2E_RELEASE name (headlamp-e2e) in a single namespace. Without # headlamp-dev cannot be shared across concurrent runs.
# serialization, one run's teardown (if: always()) deletes the # cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
# deployment while a concurrent run is still using it, causing auth # runs may skip the if:always() teardown, leaving dangling cluster resources.
# setup timeouts. cancel-in-progress: false queues rather than kills
# to avoid leaving dangling cluster resources.
concurrency: concurrency:
group: e2e-${{ github.repository }} group: e2e-${{ github.repository }}
cancel-in-progress: false cancel-in-progress: false
env: env:
E2E_NAMESPACE: privilegedescalation-dev E2E_NAMESPACE: headlamp-dev
E2E_RELEASE: headlamp-e2e E2E_RELEASE: headlamp-e2e
# Pin to a known-good Headlamp version. Using :latest is risky because
# the tag can change between CI runs, causing flaky failures when a newer
# image is pulled on some nodes but not others (IfNotPresent pull policy).
# Update this when Headlamp is upgraded in production (kube-system).
HEADLAMP_VERSION: v0.40.1
jobs: jobs:
e2e: e2e:
@@ -42,6 +45,104 @@ jobs:
- name: Setup kubectl - name: Setup kubectl
uses: azure/setup-kubectl@v4 uses: azure/setup-kubectl@v4
- name: Get kubeconfig
run: |
set -euo pipefail
echo "=== Runner environment diagnostic ==="
echo "HOME=${HOME:-}"
echo "KUBECONFIG=${KUBECONFIG:-}"
echo "ACTIONS_KUBECONFIG=${ACTIONS_KUBECONFIG:-}"
echo "RUNNER_CONFIG=${RUNNER_CONFIG:-}"
echo "RUNNER_CONFIG_DIR=${RUNNER_CONFIG_DIR:-}"
echo ""
echo "=== Checking known kubeconfig locations ==="
for path in /runner/config /home/runner/.kube/config "${HOME:-}/.kube/config" "${HOME:-}/.kube"; do
if [ -f "$path" ]; then
echo "FOUND kubeconfig at: $path"
elif [ -d "$path" ]; then
echo "DIR exists at: $path, contents:"
ls -la "$path" 2>&1 || echo " (cannot list)"
else
echo "NOT FOUND: $path"
fi
done
echo ""
echo "=== In-cluster service account check ==="
in_cluster=false
if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
echo "Service account token present — in-cluster mode available"
echo "KUBERNETES_SERVICE_HOST=${KUBERNETES_SERVICE_HOST:-}"
echo "KUBERNETES_SERVICE_PORT=${KUBERNETES_SERVICE_PORT:-}"
in_cluster=true
else
echo "No service account token at /var/run/secrets/kubernetes.io/serviceaccount/"
fi
echo ""
if [ -f /runner/config ]; then
echo "KUBECONFIG=/runner/config" >> "$GITHUB_ENV"
echo "Using kubeconfig from /runner/config"
elif [ -f /home/runner/.kube/config ]; then
echo "KUBECONFIG=/home/runner/.kube/config" >> "$GITHUB_ENV"
echo "Using kubeconfig from /home/runner/.kube/config"
elif [ -f "${HOME:-}/.kube/config" ]; then
echo "KUBECONFIG=${HOME:-}/.kube/config" >> "$GITHUB_ENV"
echo "Using kubeconfig from HOME"
elif [ "$in_cluster" = true ]; then
echo "No static kubeconfig found — generating in-cluster kubeconfig"
KUBECFG_DIR="${HOME:-}/.kube"
mkdir -p "$KUBECFG_DIR"
kubectl config set-cluster in-cluster \
--server="https://${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}:${KUBERNETES_SERVICE_PORT:-443}" \
--certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
--embed-certs=true \
--kubeconfig="$KUBECFG_DIR/config" 2>&1
kubectl config set-credentials in-cluster \
--token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
--kubeconfig="$KUBECFG_DIR/config" 2>&1
kubectl config set-context in-cluster \
--cluster=in-cluster \
--user=in-cluster \
--kubeconfig="$KUBECFG_DIR/config" 2>&1
kubectl config use-context in-cluster \
--kubeconfig="$KUBECFG_DIR/config" 2>&1
echo "KUBECONFIG=$KUBECFG_DIR/config" >> "$GITHUB_ENV"
echo "Generated in-cluster kubeconfig at $KUBECFG_DIR/config"
else
echo "::error::No kubeconfig found in /runner/config, /home/runner/.kube/config, HOME, or in-cluster service account"
exit 1
fi
- name: Apply RBAC for E2E pipeline
run: |
set -x
kubectl apply -f deployment/e2e-ci-runner-rbac.yaml --dry-run=server 2>&1 || true
kubectl apply -f deployment/e2e-ci-runner-rbac.yaml 2>&1
echo "exit code: $?"
echo "Waiting for RBAC propagation..."
sleep 5
echo "Verifying RBAC resources were created..."
kubectl get role e2e-ci-runner -n headlamp-dev 2>&1 | tail -3
kubectl get role e2e-ci-runner-polaris -n headlamp-dev 2>&1 | tail -3
kubectl get rolebinding e2e-ci-runner-binding -n headlamp-dev 2>&1 | tail -3
set +x
- name: Apply Polaris dashboard RBAC
run: kubectl apply -f deployment/polaris-rbac.yaml
- name: RBAC pre-flight check
run: |
echo "Checking RBAC resources..."
MISSING=0
kubectl get role polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" 2>/dev/null || MISSING=1
if [ "$MISSING" -eq 0 ]; then
echo "RBAC pre-flight check passed."
else
echo "::error::RBAC pre-flight check failed. Missing required permissions."
exit 1
fi
- name: Install dependencies - name: Install dependencies
run: npm ci run: npm ci
@@ -69,6 +170,16 @@ jobs:
HEADLAMP_URL: ${{ env.HEADLAMP_URL }} HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }} HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}
- name: Collect deployment diagnostics on failure
if: failure()
run: |
echo "=== Pod state ==="
kubectl get pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
echo "=== Pod describe ==="
kubectl describe pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
echo "=== Recent namespace events ==="
kubectl get events -n "$E2E_NAMESPACE" --sort-by='.lastTimestamp' 2>&1 | tail -20 || true
- name: Teardown E2E instance - name: Teardown E2E instance
if: always() if: always()
run: scripts/teardown-e2e-headlamp.sh run: scripts/teardown-e2e-headlamp.sh
+53
View File
@@ -0,0 +1,53 @@
{
"config": {
// Line length — not enforced for docs with code examples
"MD013": false,
// First line heading — files use YAML frontmatter, not headings
"MD041": false,
// Emphasis as heading — common pattern for Option 1/2/3 sections
"MD036": false,
// No duplicate heading — changelog files repeat section names intentionally
"MD024": false,
// Fenced code language — not always applicable for diagram blocks
"MD040": false,
// Table column style — table alignment is visual, not semantic
"MD060": false,
// Ordered list item prefix — number resets are intentional in documents
"MD029": false,
// No inline HTML — each elements are valid in valid Markdown
"MD033": false,
// List marker space — spacing after list markers varies by editor
"MD030": false,
// Blanks around headings — not always needed in compact docs
"MD022": false,
// Blanks around lists — not always needed in compact docs
"MD032": false,
// Blanks around fences — not always needed between adjacent blocks
"MD031": false,
// Multiple blanks — editor artifacts, not semantic
"MD012": false,
// Single title — files may have multiple H1 sections
"MD025": false,
// Trailing spaces — editor artifacts
"MD009": false,
// Bare URLs — URL shortening not always needed
"MD034": false,
// Single trailing newline — editor artifacts
"MD047": false,
// Trailing punctuation — heading punctuation is intentional
"MD026": false,
// Space in emphasis — double-asterisk bold spacing varies by renderer
"MD037": false,
// No hard tabs — some generated docs use tabs for indentation
"MD010": false,
// Code block style — generated docs may use inconsistent styles
"MD046": false,
// Comment style — generated docs have no comments
"MD048": false,
// Commands show output — shell examples intentionally show only commands
"MD014": false
},
"ignores": [
"docs/api-reference/generated/**"
]
}
+1
View File
@@ -0,0 +1 @@
docs/api-reference/generated/**
+1 -1
View File
@@ -229,7 +229,7 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
**Action Items:** **Action Items:**
- [ ] Parallelize test execution - [ ] Parallelize test execution
- [ ] Add npm cache to GitHub Actions - [ ] Add npm cache to GitHub Actions
- [ ] Integrate Dependabot - [x] Renovate is configured org-wide via `github>privilegedescalation/.github:renovate-config`
- [ ] Add semantic-release - [ ] Add semantic-release
--- ---
+2 -2
View File
@@ -97,7 +97,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp # adjust to match your Headlamp service account name: headlamp # adjust to match your Headlamp service account
namespace: kube-system # adjust to match the namespace Headlamp runs in namespace: headlamp # adjust to match the namespace Headlamp runs in
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -197,7 +197,7 @@ npm test
npm run test:watch npm run test:watch
# E2E tests (Playwright) # E2E tests (Playwright)
export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h) export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp --duration=24h)
npm run e2e npm run e2e
npm run e2e:headed # see browser npm run e2e:headed # see browser
``` ```
+2 -2
View File
@@ -71,7 +71,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -212,7 +212,7 @@ If you discover a security vulnerability in this plugin, please report it via:
The project uses: The project uses:
- **npm audit**: Runs automatically during `npm install` - **npm audit**: Runs automatically during `npm install`
- **Dependabot**: GitHub Dependabot monitors dependencies and creates PRs for updates - **Renovate**: Automated dependency updates via Mend Renovate (org-wide configured)
- **GitHub Actions**: CI workflow runs `npm audit` on every commit - **GitHub Actions**: CI workflow runs `npm audit` on every commit
### Updating Dependencies ### Updating Dependencies
+98
View File
@@ -0,0 +1,98 @@
# PRI-324 Spec: Make E2E Workflow Self-Sufficient with RBAC
## Context
PR #123 introduced an RBAC pre-flight check to the E2E workflow. QA (Nancy, acting as QA) verified the "fails fast without RBAC" path works, but found that the "with RBAC passes" path had no green CI evidence — the workflow did not apply RBAC before the pre-flight check.
PR #131 attempted to fix this by adding `kubectl apply` steps and extending the CI runner RBAC, but its merge commit (739db6fe) was reverted by the next commit on main (aa1db921) due to a vulnerability fix PR (#128).
The current E2E workflow on `main` lacks the RBAC apply steps and CI runner permissions needed to make the pre-flight check meaningful.
## Required Changes
### 1. `.github/workflows/e2e.yaml`
Add between the "Setup kubectl" and "Install dependencies" steps:
```yaml
- name: Apply RBAC for E2E pipeline
run: |
set -x
kubectl apply -f deployment/e2e-ci-runner-rbac.yaml --dry-run=server 2>&1 || true
kubectl apply -f deployment/e2e-ci-runner-rbac.yaml 2>&1
echo "exit code: $?"
echo "Waiting for RBAC propagation..."
sleep 5
echo "Verifying CI runner permissions..."
kubectl auth can-i create roles -n headlamp-dev --as="system:serviceaccount:arc-runners:runners-privilegedescalation-gha-rs-no-permission" 2>&1 || { echo "::error::CI runner still lacks roles permission after propagation wait"; exit 1; }
set +x
- name: Apply Polaris dashboard RBAC
run: kubectl apply -f deployment/polaris-rbac.yaml
- name: RBAC pre-flight check
run: |
echo "Checking RBAC resources..."
MISSING=0
kubectl get role polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null || MISSING=1
if [ "$MISSING" -eq 0 ]; then
echo "RBAC pre-flight check passed."
else
echo "::error::RBAC pre-flight check failed. Missing required permissions."
exit 1
fi
```
### 2. `deployment/e2e-ci-runner-rbac.yaml`
Add a new Role + RoleBinding for the `polaris` namespace (from PR #131):
```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner-polaris
namespace: polaris
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-polaris
namespace: polaris
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner-polaris
apiGroup: rbac.authorization.k8s.io
```
And add to the existing `e2e-ci-runner` Role in the `headlamp-dev` namespace:
```yaml
# Apply Polaris dashboard RBAC in the polaris namespace
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
```
## Acceptance Criteria
- [ ] Workflow applies `deployment/e2e-ci-runner-rbac.yaml` before the pre-flight check
- [ ] Workflow applies `deployment/polaris-rbac.yaml` before the pre-flight check
- [ ] CI runner has RBAC to apply the manifests (added via new Role+RoleBinding in polaris namespace)
- [ ] E2E pipeline passes on the PR branch (proof of green path)
- [ ] `kubectl get … --quiet` flag removed (QA nit)
- [ ] `MISSING_ROLE`/`MISSING_ROLEBINDING` collapsed to single `MISSING` flag (QA nit)
## Definition of Done
PR #123 QA changes-requested are addressed: the workflow is self-sufficient (applies its own RBAC), the green path is demonstrated, and QA review is re-requested.
+35 -7
View File
@@ -2,26 +2,26 @@
# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance. # RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
# CI-only test fixture — NOT for production use. # CI-only test fixture — NOT for production use.
# #
# Grants the ARC runner service account permissions in the privilegedescalation-dev # Grants the ARC runner service account permissions in the headlamp-dev
# namespace to deploy and tear down a dedicated Headlamp instance via Helm. # namespace to deploy and tear down a dedicated Headlamp instance via Helm.
# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run. # E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
# #
# Plugin is loaded via ConfigMap volume mount — no custom Docker images. # Plugin is loaded via ConfigMap volume mount — no custom Docker images.
# #
# Prerequisites: # Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
# kubectl apply -f deployment/e2e-ci-runner-rbac.yaml # and managed by Flux GitOps. The infra repo is the source of truth.
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: e2e-ci-runner name: e2e-ci-runner
namespace: privilegedescalation-dev namespace: headlamp-dev
rules: rules:
# Helm needs to manage these resources for the Headlamp chart # Helm needs to manage these resources for the Headlamp chart
- apiGroups: ["apps"] - apiGroups: ["apps"]
resources: ["deployments"] resources: ["deployments"]
verbs: ["get", "list", "create", "update", "patch", "delete", "watch"] verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
- apiGroups: [""] - apiGroups: [""]
resources: ["services", "serviceaccounts", "configmaps", "secrets"] resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""] - apiGroups: [""]
resources: ["pods"] resources: ["pods"]
@@ -30,12 +30,40 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["serviceaccounts/token"] resources: ["serviceaccounts/token"]
verbs: ["create"] verbs: ["create"]
# Apply Polaris dashboard RBAC in the polaris namespace
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner-polaris
namespace: polaris
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-polaris
namespace: polaris
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner-polaris
apiGroup: rbac.authorization.k8s.io
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: e2e-ci-runner-binding name: e2e-ci-runner-binding
namespace: privilegedescalation-dev namespace: headlamp-dev
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission name: runners-privilegedescalation-gha-rs-no-permission
+2 -2
View File
@@ -33,7 +33,7 @@ kubectl -n polaris get svc polaris-dashboard
kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion
# Verify Headlamp is deployed # Verify Headlamp is deployed
kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
``` ```
## Installation Methods ## Installation Methods
@@ -59,7 +59,7 @@ kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp
```bash ```bash
helm upgrade --install headlamp headlamp/headlamp \ helm upgrade --install headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--values headlamp-values.yaml --values headlamp-values.yaml
``` ```
+2 -3
View File
@@ -268,10 +268,9 @@ npm run e2e
```bash ```bash
# Create token # Create token
export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h) export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp --duration=24h)
# Port-forward for local testing kubectl port-forward -n headlamp svc/headlamp 4466:80
kubectl port-forward -n kube-system svc/headlamp 4466:80
# Run tests # Run tests
HEADLAMP_URL=http://localhost:4466 npm run e2e HEADLAMP_URL=http://localhost:4466 npm run e2e
+16 -16
View File
@@ -33,7 +33,7 @@ This guide covers common issues encountered when using the Headlamp Polaris Plug
```bash ```bash
# View Headlamp pod logs (plugin sidecar) # View Headlamp pod logs (plugin sidecar)
kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
# Expected output: # Expected output:
# Installing plugin from https://github.com/.../headlamp-polaris-plugin-X.Y.Z.tar.gz # Installing plugin from https://github.com/.../headlamp-polaris-plugin-X.Y.Z.tar.gz
@@ -43,7 +43,7 @@ kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin
**Verify plugin files exist**: **Verify plugin files exist**:
```bash ```bash
kubectl exec -n kube-system deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/ kubectl exec -n headlamp deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
# Should show: headlamp-polaris-plugin/ # Should show: headlamp-polaris-plugin/
``` ```
@@ -118,7 +118,7 @@ Expected subjects:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
``` ```
For OIDC mode: For OIDC mode:
@@ -154,7 +154,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -169,7 +169,7 @@ Service account mode:
```bash ```bash
# Impersonate Headlamp service account # Impersonate Headlamp service account
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
--resource-name=polaris-dashboard \ --resource-name=polaris-dashboard \
-n polaris -n polaris
# Expected: yes # Expected: yes
@@ -189,7 +189,7 @@ kubectl auth can-i get services/proxy \
After applying RBAC changes: After applying RBAC changes:
```bash ```bash
kubectl rollout restart deployment headlamp -n kube-system kubectl rollout restart deployment headlamp -n headlamp
``` ```
--- ---
@@ -490,7 +490,7 @@ Run this script to test all RBAC components:
#!/bin/bash #!/bin/bash
NS="polaris" NS="polaris"
SA="headlamp" SA="headlamp"
SA_NS="kube-system" SA_NS="headlamp"
echo "=== Testing RBAC for Polaris Plugin ===" echo "=== Testing RBAC for Polaris Plugin ==="
@@ -529,8 +529,8 @@ echo "=== Test complete ==="
Test connectivity from Headlamp to Polaris: Test connectivity from Headlamp to Polaris:
```bash ```bash
# Create debug pod in kube-system namespace # Create debug pod in headlamp namespace
kubectl run netdebug -n kube-system --rm -it --image=nicolaka/netshoot -- bash kubectl run netdebug -n headlamp --rm -it --image=nicolaka/netshoot -- bash
# Inside pod, test DNS and HTTP # Inside pod, test DNS and HTTP
nslookup polaris-dashboard.polaris.svc.cluster.local nslookup polaris-dashboard.polaris.svc.cluster.local
@@ -545,11 +545,11 @@ If you have audit logging enabled, check for denied requests:
```bash ```bash
# View recent audit logs (location varies by cluster) # View recent audit logs (location varies by cluster)
kubectl logs -n kube-system kube-apiserver-* | grep polaris-dashboard kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
# Look for lines with: # Look for lines with:
# "reason": "Forbidden" # "reason": "Forbidden"
# "user": "system:serviceaccount:kube-system:headlamp" # "user": "system:serviceaccount:headlamp:headlamp"
``` ```
--- ---
@@ -567,7 +567,7 @@ kubectl logs -n kube-system kube-apiserver-* | grep polaris-dashboard
**Check sidecar logs**: **Check sidecar logs**:
```bash ```bash
kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
``` ```
**Common errors**: **Common errors**:
@@ -591,7 +591,7 @@ Error: 404 Not Found
**Solution**: Verify `archive-url` in plugin config matches GitHub release: **Solution**: Verify `archive-url` in plugin config matches GitHub release:
```bash ```bash
kubectl get configmap headlamp-plugin-config -n kube-system -o yaml kubectl get configmap headlamp-plugin-config -n headlamp -o yaml
``` ```
Expected format: Expected format:
@@ -677,13 +677,13 @@ If none of these solutions work, gather debugging information and open an issue:
1. **Version Information**: 1. **Version Information**:
```bash ```bash
kubectl get pods -n kube-system -l app.kubernetes.io/name=headlamp -o yaml | grep image: kubectl get pods -n headlamp -l app.kubernetes.io/name=headlamp -o yaml | grep image:
``` ```
2. **Plugin Version**: 2. **Plugin Version**:
- Check Settings → Plugins in Headlamp UI - Check Settings → Plugins in Headlamp UI
- Or: `kubectl exec -n kube-system deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json` - Or: `kubectl exec -n headlamp deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
3. **Browser Console Output**: 3. **Browser Console Output**:
@@ -698,7 +698,7 @@ If none of these solutions work, gather debugging information and open an issue:
5. **Pod Logs**: 5. **Pod Logs**:
```bash ```bash
kubectl logs -n kube-system deployment/headlamp -c headlamp --tail=100 kubectl logs -n headlamp deployment/headlamp -c headlamp --tail=100
kubectl logs -n polaris deployment/polaris-dashboard --tail=100 kubectl logs -n polaris deployment/polaris-dashboard --tail=100
``` ```
+20 -20
View File
@@ -41,11 +41,11 @@ pluginsManager:
```bash ```bash
# Install Headlamp # Install Headlamp
helm install headlamp headlamp/headlamp \ helm install headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--values headlamp-values.yaml --values headlamp-values.yaml
# Wait for deployment # Wait for deployment
kubectl -n kube-system wait --for=condition=available deployment/headlamp --timeout=300s kubectl -n headlamp wait --for=condition=available deployment/headlamp --timeout=300s
``` ```
After installation, install the plugin via Headlamp UI (**Settings → Plugins → Catalog**). After installation, install the plugin via Headlamp UI (**Settings → Plugins → Catalog**).
@@ -131,7 +131,7 @@ Deploy:
```bash ```bash
helm upgrade --install headlamp headlamp/headlamp \ helm upgrade --install headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--values headlamp-values.yaml \ --values headlamp-values.yaml \
--wait \ --wait \
--timeout 5m --timeout 5m
@@ -177,7 +177,7 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: headlamp-plugin-config name: headlamp-plugin-config
namespace: kube-system namespace: headlamp
data: data:
plugin.yml: | plugin.yml: |
- name: headlamp-polaris-plugin - name: headlamp-polaris-plugin
@@ -191,7 +191,7 @@ Apply ConfigMap then deploy Headlamp:
kubectl apply -f headlamp-plugin-config.yaml kubectl apply -f headlamp-plugin-config.yaml
helm upgrade --install headlamp headlamp/headlamp \ helm upgrade --install headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--values headlamp-values.yaml --values headlamp-values.yaml
``` ```
@@ -221,7 +221,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease kind: HelmRelease
metadata: metadata:
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
spec: spec:
interval: 30m interval: 30m
chart: chart:
@@ -300,7 +300,7 @@ kubectl apply -f helmrepository.yaml
kubectl apply -f helmrelease.yaml kubectl apply -f helmrelease.yaml
# Watch deployment # Watch deployment
flux get helmreleases -n kube-system --watch flux get helmreleases -n headlamp --watch
``` ```
## RBAC Configuration ## RBAC Configuration
@@ -329,7 +329,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -349,7 +349,7 @@ helm repo update
# Upgrade Headlamp (preserves plugin configuration) # Upgrade Headlamp (preserves plugin configuration)
helm upgrade headlamp headlamp/headlamp \ helm upgrade headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--values headlamp-values.yaml \ --values headlamp-values.yaml \
--wait --wait
``` ```
@@ -365,15 +365,15 @@ helm upgrade headlamp headlamp/headlamp \
```bash ```bash
# Update ConfigMap with new version # Update ConfigMap with new version
kubectl -n kube-system edit configmap headlamp-plugin-config kubectl -n headlamp edit configmap headlamp-plugin-config
# Update version and URL: # Update version and URL:
# version: 0.3.6 # version: 0.3.6
# url: https://github.com/.../v0.3.6/polaris-0.3.10.tar.gz # url: https://github.com/.../v0.3.6/polaris-0.3.10.tar.gz
# Restart deployment to trigger init container # Restart deployment to trigger init container
kubectl -n kube-system rollout restart deployment/headlamp kubectl -n headlamp rollout restart deployment/headlamp
kubectl -n kube-system rollout status deployment/headlamp kubectl -n headlamp rollout status deployment/headlamp
``` ```
## Troubleshooting ## Troubleshooting
@@ -382,25 +382,25 @@ kubectl -n kube-system rollout status deployment/headlamp
```bash ```bash
# Check Headlamp values # Check Headlamp values
helm get values headlamp -n kube-system helm get values headlamp -n headlamp
# Verify plugin files exist # Verify plugin files exist
kubectl -n kube-system exec deployment/headlamp -c headlamp -- \ kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
ls -la /headlamp/plugins/headlamp-polaris-plugin/ ls -la /headlamp/plugins/headlamp-polaris-plugin/
# If missing, reinstall plugin via UI or check init container logs # If missing, reinstall plugin via UI or check init container logs
kubectl -n kube-system logs deployment/headlamp -c install-polaris-plugin kubectl -n headlamp logs deployment/headlamp -c install-polaris-plugin
``` ```
### Helm Release Stuck ### Helm Release Stuck
```bash ```bash
# Check Helm release status # Check Helm release status
helm list -n kube-system helm list -n headlamp
# If stuck, force upgrade # If stuck, force upgrade
helm upgrade headlamp headlamp/headlamp \ helm upgrade headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--values headlamp-values.yaml \ --values headlamp-values.yaml \
--force \ --force \
--wait --wait
@@ -410,13 +410,13 @@ helm upgrade headlamp headlamp/headlamp \
```bash ```bash
# Check HelmRelease status # Check HelmRelease status
flux get helmreleases -n kube-system flux get helmreleases -n headlamp
# Check events # Check events
kubectl -n kube-system describe helmrelease headlamp kubectl -n headlamp describe helmrelease headlamp
# Force reconciliation # Force reconciliation
flux reconcile helmrelease headlamp -n kube-system flux reconcile helmrelease headlamp -n headlamp
``` ```
## Next Steps ## Next Steps
+21 -21
View File
@@ -47,7 +47,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -71,7 +71,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission # Test permission
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
@@ -90,7 +90,7 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: headlamp-plugin-config name: headlamp-plugin-config
namespace: kube-system namespace: headlamp
labels: labels:
app.kubernetes.io/name: headlamp app.kubernetes.io/name: headlamp
app.kubernetes.io/component: plugin-config app.kubernetes.io/component: plugin-config
@@ -109,7 +109,7 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
labels: labels:
app.kubernetes.io/name: headlamp app.kubernetes.io/name: headlamp
spec: spec:
@@ -194,7 +194,7 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
labels: labels:
app.kubernetes.io/name: headlamp app.kubernetes.io/name: headlamp
@@ -204,7 +204,7 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
labels: labels:
app.kubernetes.io/name: headlamp app.kubernetes.io/name: headlamp
spec: spec:
@@ -235,27 +235,27 @@ kubectl apply -f headlamp-service.yaml
kubectl apply -f headlamp-serviceaccount.yaml kubectl apply -f headlamp-serviceaccount.yaml
# Wait for deployment to be ready # Wait for deployment to be ready
kubectl -n kube-system wait --for=condition=available deployment/headlamp --timeout=300s kubectl -n headlamp wait --for=condition=available deployment/headlamp --timeout=300s
``` ```
### 2. Verify Deployment ### 2. Verify Deployment
```bash ```bash
# Check pods are running # Check pods are running
kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
# Expected output: # Expected output:
# NAME READY STATUS RESTARTS AGE # NAME READY STATUS RESTARTS AGE
# headlamp-xxxxxxxxxx-xxxxx 1/1 Running 0 2m # headlamp-xxxxxxxxxx-xxxxx 1/1 Running 0 2m
# Check init container logs # Check init container logs
kubectl -n kube-system logs deployment/headlamp -c install-plugins kubectl -n headlamp logs deployment/headlamp -c install-plugins
# Expected output: # Expected output:
# Plugin installation complete # Plugin installation complete
# Verify plugin files exist # Verify plugin files exist
kubectl -n kube-system exec deployment/headlamp -c headlamp -- \ kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
ls -la /headlamp/plugins/headlamp-polaris-plugin/ ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected output: # Expected output:
@@ -273,7 +273,7 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
```bash ```bash
# Port-forward to access locally # Port-forward to access locally
kubectl -n kube-system port-forward service/headlamp 8080:80 kubectl -n headlamp port-forward service/headlamp 8080:80
# Open browser to http://localhost:8080 # Open browser to http://localhost:8080
``` ```
@@ -309,7 +309,7 @@ k8s/
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: kube-system namespace: headlamp
commonLabels: commonLabels:
app.kubernetes.io/name: headlamp app.kubernetes.io/name: headlamp
@@ -401,7 +401,7 @@ spec:
- apiVersion: apps/v1 - apiVersion: apps/v1
kind: Deployment kind: Deployment
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
``` ```
## Upgrading the Plugin ## Upgrading the Plugin
@@ -410,24 +410,24 @@ spec:
```bash ```bash
# Edit ConfigMap with new version # Edit ConfigMap with new version
kubectl -n kube-system edit configmap headlamp-plugin-config kubectl -n headlamp edit configmap headlamp-plugin-config
# Update version and URL: # Update version and URL:
# version: 0.3.6 # version: 0.3.6
# url: https://github.com/.../v0.3.6/polaris-0.3.10.tar.gz # url: https://github.com/.../v0.3.6/polaris-0.3.10.tar.gz
# Restart deployment to trigger init container # Restart deployment to trigger init container
kubectl -n kube-system rollout restart deployment/headlamp kubectl -n headlamp rollout restart deployment/headlamp
# Wait for rollout to complete # Wait for rollout to complete
kubectl -n kube-system rollout status deployment/headlamp kubectl -n headlamp rollout status deployment/headlamp
``` ```
### Verify Upgrade ### Verify Upgrade
```bash ```bash
# Check init container logs # Check init container logs
kubectl -n kube-system logs deployment/headlamp -c install-plugins kubectl -n headlamp logs deployment/headlamp -c install-plugins
# Verify new version in UI # Verify new version in UI
# Navigate to Settings → Plugins in Headlamp # Navigate to Settings → Plugins in Headlamp
@@ -439,7 +439,7 @@ kubectl -n kube-system logs deployment/headlamp -c install-plugins
```bash ```bash
# Check init container logs # Check init container logs
kubectl -n kube-system logs deployment/headlamp -c install-plugins kubectl -n headlamp logs deployment/headlamp -c install-plugins
# Common issues: # Common issues:
# 1. Network connectivity to GitHub # 1. Network connectivity to GitHub
@@ -451,14 +451,14 @@ kubectl -n kube-system logs deployment/headlamp -c install-plugins
```bash ```bash
# Verify HEADLAMP_CONFIG_WATCH_PLUGINS is false # Verify HEADLAMP_CONFIG_WATCH_PLUGINS is false
kubectl -n kube-system get deployment headlamp -o yaml | grep WATCH_PLUGINS kubectl -n headlamp get deployment headlamp -o yaml | grep WATCH_PLUGINS
# Expected output: # Expected output:
# - name: HEADLAMP_CONFIG_WATCH_PLUGINS # - name: HEADLAMP_CONFIG_WATCH_PLUGINS
# value: "false" # value: "false"
# If not set or "true", update deployment # If not set or "true", update deployment
kubectl -n kube-system edit deployment headlamp kubectl -n headlamp edit deployment headlamp
``` ```
### RBAC Permissions Denied ### RBAC Permissions Denied
@@ -466,7 +466,7 @@ kubectl -n kube-system edit deployment headlamp
```bash ```bash
# Test RBAC # Test RBAC
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
+15 -15
View File
@@ -37,8 +37,8 @@ kubectl -n polaris get svc polaris-dashboard
kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion
# Verify Headlamp # Verify Headlamp
kubectl -n kube-system get deployment headlamp kubectl -n headlamp get deployment headlamp
kubectl -n kube-system get svc headlamp kubectl -n headlamp get svc headlamp
``` ```
## Production Checklist ## Production Checklist
@@ -60,17 +60,17 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
# 2. Verify RBAC permissions # 2. Verify RBAC permissions
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
# Expected: yes # Expected: yes
# 3. Check Headlamp logs for plugin loading # 3. Check Headlamp logs for plugin loading
kubectl -n kube-system logs deployment/headlamp | grep -i polaris kubectl -n headlamp logs deployment/headlamp | grep -i polaris
# Expected: No errors related to plugin loading # Expected: No errors related to plugin loading
# 4. Verify plugin files exist # 4. Verify plugin files exist
kubectl -n kube-system exec deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/ kubectl -n headlamp exec deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected: dist/, package.json present # Expected: dist/, package.json present
``` ```
@@ -241,7 +241,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: headlamp-pdb name: headlamp-pdb
namespace: kube-system namespace: headlamp
spec: spec:
minAvailable: 1 minAvailable: 1
selector: selector:
@@ -295,7 +295,7 @@ apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
spec: spec:
selector: selector:
matchLabels: matchLabels:
@@ -312,10 +312,10 @@ spec:
```bash ```bash
# View logs # View logs
kubectl -n kube-system logs deployment/headlamp -f kubectl -n headlamp logs deployment/headlamp -f
# Filter for plugin-related logs # Filter for plugin-related logs
kubectl -n kube-system logs deployment/headlamp | grep -i polaris kubectl -n headlamp logs deployment/headlamp | grep -i polaris
``` ```
**Polaris Dashboard Logs:** **Polaris Dashboard Logs:**
@@ -341,14 +341,14 @@ apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule kind: PrometheusRule
metadata: metadata:
name: headlamp-alerts name: headlamp-alerts
namespace: kube-system namespace: headlamp
spec: spec:
groups: groups:
- name: headlamp - name: headlamp
interval: 30s interval: 30s
rules: rules:
- alert: HeadlampPodNotReady - alert: HeadlampPodNotReady
expr: kube_pod_status_ready{namespace="kube-system", pod=~"headlamp-.*"} == 0 expr: kube_pod_status_ready{namespace="headlamp", pod=~"headlamp-.*"} == 0
for: 5m for: 5m
labels: labels:
severity: warning severity: warning
@@ -422,9 +422,9 @@ If Headlamp or plugin becomes unavailable:
2. **Redeploy Headlamp:** 2. **Redeploy Headlamp:**
```bash ```bash
helm upgrade --install headlamp headlamp/headlamp \ helm upgrade --install headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--values headlamp-values.yaml --values headlamp-values.yaml
``` ```
3. **Reapply RBAC:** 3. **Reapply RBAC:**
@@ -436,7 +436,7 @@ If Headlamp or plugin becomes unavailable:
4. **Verify plugin files:** 4. **Verify plugin files:**
```bash ```bash
kubectl -n kube-system exec deployment/headlamp -- \ kubectl -n headlamp exec deployment/headlamp -- \
ls /headlamp/plugins/headlamp-polaris-plugin/ ls /headlamp/plugins/headlamp-polaris-plugin/
``` ```
+2 -3
View File
@@ -268,10 +268,9 @@ npm run e2e
```bash ```bash
# Create token # Create token
export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h) export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp --duration=24h)
# Port-forward for local testing kubectl port-forward -n headlamp svc/headlamp 4466:80
kubectl port-forward -n kube-system svc/headlamp 4466:80
# Run tests # Run tests
HEADLAMP_URL=http://localhost:4466 npm run e2e HEADLAMP_URL=http://localhost:4466 npm run e2e
+13 -13
View File
@@ -72,7 +72,7 @@ Deploy or update Headlamp:
```bash ```bash
helm upgrade --install headlamp headlamp/headlamp \ helm upgrade --install headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--values headlamp-values.yaml --values headlamp-values.yaml
``` ```
@@ -122,7 +122,7 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: headlamp-plugin-config name: headlamp-plugin-config
namespace: kube-system namespace: headlamp
data: data:
plugin.yml: | plugin.yml: |
- name: headlamp-polaris-plugin - name: headlamp-polaris-plugin
@@ -138,14 +138,14 @@ kubectl apply -f headlamp-plugin-config.yaml
# Deploy/update Headlamp with sidecar # Deploy/update Headlamp with sidecar
helm upgrade --install headlamp headlamp/headlamp \ helm upgrade --install headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--values headlamp-values.yaml --values headlamp-values.yaml
# Wait for pod to be ready # Wait for pod to be ready
kubectl -n kube-system wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
# Verify plugin files # Verify plugin files
kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/ kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected output: # Expected output:
# drwxr-xr-x dist/ # drwxr-xr-x dist/
@@ -270,7 +270,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -284,10 +284,10 @@ See [RBAC Permissions](../user-guide/rbac-permissions.md) for detailed RBAC conf
```bash ```bash
# If you updated Helm values or ConfigMaps # If you updated Helm values or ConfigMaps
kubectl -n kube-system rollout restart deployment/headlamp kubectl -n headlamp rollout restart deployment/headlamp
# Wait for pod to be ready # Wait for pod to be ready
kubectl -n kube-system wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
``` ```
### 3. Clear Browser Cache ### 3. Clear Browser Cache
@@ -312,14 +312,14 @@ kubectl -n kube-system wait --for=condition=ready pod -l app.kubernetes.io/name=
```bash ```bash
# Verify plugin files exist # Verify plugin files exist
kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/ kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected output: # Expected output:
# drwxr-xr-x dist/ # drwxr-xr-x dist/
# -rw-r--r-- package.json # -rw-r--r-- package.json
# Check Headlamp logs for errors # Check Headlamp logs for errors
kubectl -n kube-system logs deployment/headlamp | grep -i polaris kubectl -n headlamp logs deployment/headlamp | grep -i polaris
# Expected: No errors related to plugin loading # Expected: No errors related to plugin loading
@@ -345,13 +345,13 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
```bash ```bash
# 1. Verify plugin files exist # 1. Verify plugin files exist
kubectl -n kube-system exec deployment/headlamp -c headlamp -- \ kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
ls -la /headlamp/plugins/headlamp-polaris-plugin/ ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected: dist/, package.json present # Expected: dist/, package.json present
# 2. Check Headlamp logs for plugin errors # 2. Check Headlamp logs for plugin errors
kubectl -n kube-system logs deployment/headlamp | grep -i polaris kubectl -n headlamp logs deployment/headlamp | grep -i polaris
# 3. Hard refresh browser (Cmd+Shift+R or Ctrl+Shift+R) # 3. Hard refresh browser (Cmd+Shift+R or Ctrl+Shift+R)
@@ -404,7 +404,7 @@ helm install polaris fairwinds-stable/polaris \
```bash ```bash
# Wait 30 minutes for ArtifactHub sync # Wait 30 minutes for ArtifactHub sync
# Or manually force Headlamp restart: # Or manually force Headlamp restart:
kubectl -n kube-system rollout restart deployment/headlamp kubectl -n headlamp rollout restart deployment/headlamp
``` ```
## Next Steps ## Next Steps
+5 -5
View File
@@ -67,14 +67,14 @@ kubectl -n polaris wait --for=condition=ready pod -l app.kubernetes.io/name=pola
```bash ```bash
# Check Headlamp is deployed # Check Headlamp is deployed
kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
# Expected output: # Expected output:
# NAME READY STATUS RESTARTS AGE # NAME READY STATUS RESTARTS AGE
# headlamp-xxxxxxxxxx-xxxxx 1/1 Running 0 1h # headlamp-xxxxxxxxxx-xxxxx 1/1 Running 0 1h
# Check Headlamp version (must be v0.26+) # Check Headlamp version (must be v0.26+)
kubectl -n kube-system get deployment headlamp -o jsonpath='{.spec.template.spec.containers[0].image}' kubectl -n headlamp get deployment headlamp -o jsonpath='{.spec.template.spec.containers[0].image}'
# Expected output: # Expected output:
# ghcr.io/headlamp-k8s/headlamp:v0.39.0 (or similar) # ghcr.io/headlamp-k8s/headlamp:v0.39.0 (or similar)
@@ -89,12 +89,12 @@ helm repo update
# Install Headlamp # Install Headlamp
helm install headlamp headlamp/headlamp \ helm install headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--set config.pluginsDir="/headlamp/plugins" \ --set config.pluginsDir="/headlamp/plugins" \
--set pluginsManager.enabled=true --set pluginsManager.enabled=true
# Wait for pod to be ready # Wait for pod to be ready
kubectl -n kube-system wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
``` ```
## RBAC Requirements ## RBAC Requirements
@@ -112,7 +112,7 @@ The plugin requires permissions to access the Polaris dashboard via Kubernetes s
```bash ```bash
# Test if Headlamp service account has permission # Test if Headlamp service account has permission
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
+5 -5
View File
@@ -38,7 +38,7 @@ EOF
# Update Headlamp # Update Headlamp
helm upgrade --install headlamp headlamp/headlamp \ helm upgrade --install headlamp headlamp/headlamp \
--namespace kube-system \ --namespace headlamp \
--values headlamp-values.yaml --values headlamp-values.yaml
``` ```
@@ -70,7 +70,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -111,7 +111,7 @@ EOF
```bash ```bash
# Verify plugin files exist # Verify plugin files exist
kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- \ kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- \
ls /headlamp/plugins/headlamp-polaris-plugin/dist/ ls /headlamp/plugins/headlamp-polaris-plugin/dist/
# Expected output: # Expected output:
@@ -119,7 +119,7 @@ kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- \
# Verify RBAC is correct # Verify RBAC is correct
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
@@ -185,7 +185,7 @@ Cluster score badge in top navigation:
```bash ```bash
# Verify plugin files exist # Verify plugin files exist
kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- \ kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- \
ls /headlamp/plugins/headlamp-polaris-plugin/ ls /headlamp/plugins/headlamp-polaris-plugin/
# If missing, reinstall via Headlamp UI or sidecar method # If missing, reinstall via Headlamp UI or sidecar method
+5 -5
View File
@@ -38,17 +38,17 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
# 3. Verify RBAC permissions # 3. Verify RBAC permissions
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
# Expected output: yes # Expected output: yes
# 4. Check Headlamp pod is running # 4. Check Headlamp pod is running
kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
# 5. Check Headlamp logs for plugin errors # 5. Check Headlamp logs for plugin errors
kubectl -n kube-system logs deployment/headlamp | grep -i polaris kubectl -n headlamp logs deployment/headlamp | grep -i polaris
# Expected: No errors # Expected: No errors
``` ```
@@ -57,7 +57,7 @@ kubectl -n kube-system logs deployment/headlamp | grep -i polaris
```bash ```bash
# Verify plugin files exist # Verify plugin files exist
kubectl -n kube-system exec deployment/headlamp -c headlamp -- \ kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
ls -la /headlamp/plugins/headlamp-polaris-plugin/ ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected output: # Expected output:
@@ -76,7 +76,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission (service account mode) # Test permission (service account mode)
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
+16 -16
View File
@@ -33,7 +33,7 @@ This guide covers common issues encountered when using the Headlamp Polaris Plug
```bash ```bash
# View Headlamp pod logs (plugin sidecar) # View Headlamp pod logs (plugin sidecar)
kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
# Expected output: # Expected output:
# Installing plugin from https://github.com/.../headlamp-polaris-plugin-X.Y.Z.tar.gz # Installing plugin from https://github.com/.../headlamp-polaris-plugin-X.Y.Z.tar.gz
@@ -43,7 +43,7 @@ kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin
**Verify plugin files exist**: **Verify plugin files exist**:
```bash ```bash
kubectl exec -n kube-system deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/ kubectl exec -n headlamp deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
# Should show: headlamp-polaris-plugin/ # Should show: headlamp-polaris-plugin/
``` ```
@@ -118,7 +118,7 @@ Expected subjects:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
``` ```
For OIDC mode: For OIDC mode:
@@ -154,7 +154,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -169,7 +169,7 @@ Service account mode:
```bash ```bash
# Impersonate Headlamp service account # Impersonate Headlamp service account
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
--resource-name=polaris-dashboard \ --resource-name=polaris-dashboard \
-n polaris -n polaris
# Expected: yes # Expected: yes
@@ -189,7 +189,7 @@ kubectl auth can-i get services/proxy \
After applying RBAC changes: After applying RBAC changes:
```bash ```bash
kubectl rollout restart deployment headlamp -n kube-system kubectl rollout restart deployment headlamp -n headlamp
``` ```
--- ---
@@ -490,7 +490,7 @@ Run this script to test all RBAC components:
#!/bin/bash #!/bin/bash
NS="polaris" NS="polaris"
SA="headlamp" SA="headlamp"
SA_NS="kube-system" SA_NS="headlamp"
echo "=== Testing RBAC for Polaris Plugin ===" echo "=== Testing RBAC for Polaris Plugin ==="
@@ -529,8 +529,8 @@ echo "=== Test complete ==="
Test connectivity from Headlamp to Polaris: Test connectivity from Headlamp to Polaris:
```bash ```bash
# Create debug pod in kube-system namespace # Create debug pod in headlamp namespace
kubectl run netdebug -n kube-system --rm -it --image=nicolaka/netshoot -- bash kubectl run netdebug -n headlamp --rm -it --image=nicolaka/netshoot -- bash
# Inside pod, test DNS and HTTP # Inside pod, test DNS and HTTP
nslookup polaris-dashboard.polaris.svc.cluster.local nslookup polaris-dashboard.polaris.svc.cluster.local
@@ -545,11 +545,11 @@ If you have audit logging enabled, check for denied requests:
```bash ```bash
# View recent audit logs (location varies by cluster) # View recent audit logs (location varies by cluster)
kubectl logs -n kube-system kube-apiserver-* | grep polaris-dashboard kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
# Look for lines with: # Look for lines with:
# "reason": "Forbidden" # "reason": "Forbidden"
# "user": "system:serviceaccount:kube-system:headlamp" # "user": "system:serviceaccount:headlamp:headlamp"
``` ```
--- ---
@@ -567,7 +567,7 @@ kubectl logs -n kube-system kube-apiserver-* | grep polaris-dashboard
**Check sidecar logs**: **Check sidecar logs**:
```bash ```bash
kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
``` ```
**Common errors**: **Common errors**:
@@ -591,7 +591,7 @@ Error: 404 Not Found
**Solution**: Verify `archive-url` in plugin config matches GitHub release: **Solution**: Verify `archive-url` in plugin config matches GitHub release:
```bash ```bash
kubectl get configmap headlamp-plugin-config -n kube-system -o yaml kubectl get configmap headlamp-plugin-config -n headlamp -o yaml
``` ```
Expected format: Expected format:
@@ -677,13 +677,13 @@ If none of these solutions work, gather debugging information and open an issue:
1. **Version Information**: 1. **Version Information**:
```bash ```bash
kubectl get pods -n kube-system -l app.kubernetes.io/name=headlamp -o yaml | grep image: kubectl get pods -n headlamp -l app.kubernetes.io/name=headlamp -o yaml | grep image:
``` ```
2. **Plugin Version**: 2. **Plugin Version**:
- Check Settings → Plugins in Headlamp UI - Check Settings → Plugins in Headlamp UI
- Or: `kubectl exec -n kube-system deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json` - Or: `kubectl exec -n headlamp deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
3. **Browser Console Output**: 3. **Browser Console Output**:
@@ -698,7 +698,7 @@ If none of these solutions work, gather debugging information and open an issue:
5. **Pod Logs**: 5. **Pod Logs**:
```bash ```bash
kubectl logs -n kube-system deployment/headlamp -c headlamp --tail=100 kubectl logs -n headlamp deployment/headlamp -c headlamp --tail=100
kubectl logs -n polaris deployment/polaris-dashboard --tail=100 kubectl logs -n polaris deployment/polaris-dashboard --tail=100
``` ```
+2 -2
View File
@@ -43,7 +43,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -83,7 +83,7 @@ roleRef:
```bash ```bash
# Test service account (in-cluster mode) # Test service account (in-cluster mode)
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
+1 -1
View File
@@ -317,7 +317,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission # Test permission
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
``` ```
+8 -8
View File
@@ -65,7 +65,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp # Adjust to your Headlamp SA name name: headlamp # Adjust to your Headlamp SA name
namespace: kube-system # Adjust to Headlamp's namespace namespace: headlamp # Adjust to Headlamp's namespace
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -75,7 +75,7 @@ roleRef:
**Adjust for your environment:** **Adjust for your environment:**
- `subjects[0].name` - Your Headlamp service account name (often `headlamp`) - `subjects[0].name` - Your Headlamp service account name (often `headlamp`)
- `subjects[0].namespace` - Namespace where Headlamp runs (often `kube-system`) - `subjects[0].namespace` - Namespace where Headlamp runs (often `headlamp`)
### Step 3: Apply and Verify ### Step 3: Apply and Verify
@@ -91,7 +91,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission # Test permission
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
@@ -109,7 +109,7 @@ In token-auth mode, **each user's own identity** is used for Kubernetes API requ
With service account mode: With service account mode:
- Single RoleBinding grants access to all Headlamp users - Single RoleBinding grants access to all Headlamp users
- Kubernetes sees all requests as `system:serviceaccount:kube-system:headlamp` - Kubernetes sees all requests as `system:serviceaccount:headlamp:headlamp`
With token-auth mode: With token-auth mode:
@@ -267,7 +267,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -281,7 +281,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp name: headlamp
namespace: kube-system namespace: headlamp
roleRef: roleRef:
kind: Role kind: Role
name: polaris-proxy-reader name: polaris-proxy-reader
@@ -411,7 +411,7 @@ Every plugin data fetch creates a Kubernetes API audit log entry.
"level": "Metadata", "level": "Metadata",
"verb": "get", "verb": "get",
"user": { "user": {
"username": "system:serviceaccount:kube-system:headlamp" "username": "system:serviceaccount:headlamp:headlamp"
}, },
"sourceIPs": ["10.96.0.1"], "sourceIPs": ["10.96.0.1"],
"objectRef": { "objectRef": {
@@ -494,7 +494,7 @@ If using a log aggregator (e.g., Elasticsearch), create filters to exclude or do
```bash ```bash
# Service account mode # Service account mode
kubectl auth can-i get services/proxy \ kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \ --as=system:serviceaccount:headlamp:headlamp \
-n polaris \ -n polaris \
--resource-name=polaris-dashboard --resource-name=polaris-dashboard
+6 -2
View File
@@ -45,8 +45,12 @@ async function authenticateWithToken(page: Page, token: string): Promise<void> {
await page.waitForURL(/\/(login|token)$/); await page.waitForURL(/\/(login|token)$/);
if (page.url().includes('/login')) { if (page.url().includes('/login')) {
// OIDC login page — click "use a token" to reach token auth // OIDC login page — click "use a token" to reach token auth.
await page.getByRole('button', { name: /use a token/i }).click(); // Wait explicitly before clicking so failures surface at 15 s
// with a clear message rather than silently timing out at 60 s.
const useTokenBtn = page.getByRole('button', { name: /use a token/i });
await useTokenBtn.waitFor({ state: 'visible', timeout: 15_000 });
await useTokenBtn.click();
await page.waitForURL('**/token'); await page.waitForURL('**/token');
} }
+5 -1
View File
@@ -35,7 +35,11 @@
"overrides": { "overrides": {
"tar": "^7.5.11", "tar": "^7.5.11",
"undici": "^7.24.3", "undici": "^7.24.3",
"flatted": "^3.4.2" "flatted": "^3.4.2",
"lodash": ">=4.18.0",
"picomatch": ">=4.0.4",
"vite": ">=6.4.2",
"elliptic": ">=6.6.1"
} }
}, },
"devDependencies": { "devDependencies": {
+519 -141
View File
File diff suppressed because it is too large Load Diff
+1 -17
View File
@@ -1,21 +1,5 @@
{ {
"$schema": "https://docs.renovatebot.com/renovate-schema.json", "$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"], "extends": ["github>privilegedescalation/.github:renovate-config"]
"baseBranches": ["main"],
"schedule": ["every weekend"],
"prConcurrentLimit": 10,
"pinDigests": true,
"packageRules": [
{
"matchManagers": ["npm"],
"matchUpdateTypes": ["minor", "patch"],
"groupName": "npm minor and patch"
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["minor", "patch"],
"groupName": "github-actions minor and patch"
}
]
} }
+17 -7
View File
@@ -5,26 +5,26 @@
# a ConfigMap volume mount. No custom Docker images — the plugin is built # a ConfigMap volume mount. No custom Docker images — the plugin is built
# in CI and injected as a ConfigMap. # in CI and injected as a ConfigMap.
# #
# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing # E2E resources are deployed to the `headlamp-dev` namespace. Nothing
# persists beyond the test run — teardown cleans up all created resources. # persists beyond a test run — teardown cleans up all created resources.
# #
# Prerequisites: # Prerequisites:
# - Plugin built (dist/ exists with plugin-main.js + package.json) # - Plugin built (dist/ exists with plugin-main.js + package.json)
# - kubectl configured with cluster access # - kubectl configured with cluster access
# - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml # - RBAC applied (managed by Flux GitOps in privilegedescalation/infra)
# #
# Environment: # Environment:
# E2E_NAMESPACE — namespace for E2E Headlamp (default: privilegedescalation-dev) # E2E_NAMESPACE — namespace for E2E Headlamp (default: headlamp-dev)
# E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) # E2E_RELEASE — release/resource name prefix (default: headlamp-e2e)
# HEADLAMP_VERSION — Headlamp image tag (default: latest) # HEADLAMP_VERSION — Headlamp image tag (default: v0.40.1, pinned to match production)
set -euo pipefail set -euo pipefail
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
DIST_DIR="$REPO_ROOT/dist" DIST_DIR="$REPO_ROOT/dist"
E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}" E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}" HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"
if [ ! -d "$DIST_DIR" ]; then if [ ! -d "$DIST_DIR" ]; then
echo "ERROR: dist/ not found. Run 'npm run build' first." >&2 echo "ERROR: dist/ not found. Run 'npm run build' first." >&2
@@ -58,6 +58,16 @@ kubectl create configmap headlamp-polaris-plugin \
--from-file="$DIST_DIR" \ --from-file="$DIST_DIR" \
--from-file=package.json="$REPO_ROOT/package.json" --from-file=package.json="$REPO_ROOT/package.json"
# --- Tear down any existing E2E deployment for a clean start ---
# kubectl apply without prior deletion only patches in-place: if the pod spec is
# unchanged between runs, no new rollout is triggered and a degraded pod keeps
# serving. Delete first to guarantee a fresh pod regardless of prior state.
echo ""
echo "Removing any existing E2E deployment (clean-start)..."
kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
# --- Deploy Headlamp via kubectl apply --- # --- Deploy Headlamp via kubectl apply ---
echo "" echo ""
echo "Deploying Headlamp E2E instance..." echo "Deploying Headlamp E2E instance..."
+2 -2
View File
@@ -4,13 +4,13 @@
# Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh. # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
# #
# Environment: # Environment:
# E2E_NAMESPACE — namespace to clean up (default: privilegedescalation-dev) # E2E_NAMESPACE — namespace to clean up (default: headlamp-dev)
# E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) # E2E_RELEASE — release/resource name prefix (default: headlamp-e2e)
set -euo pipefail set -euo pipefail
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}" E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
echo "=== E2E Headlamp Teardown ===" echo "=== E2E Headlamp Teardown ==="