ci: update artifact hub metadata for v0.1.3

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/release.yaml

@@ -161,12 +161,13 @@ jobs:
         run: |
           [ "$SKIP_BUILD" = "true" ] && exit 0
           VERSION=${GITHUB_REF_NAME#v}
-          git checkout main
+          git config user.name "gitea-actions[bot]"
+          git config user.email "gitea-actions[bot]@git.farh.net"
+          git fetch origin main
+          git checkout origin/main -B main
           sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
           sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"https://github.com/cpfarhood/headlamp-polaris-plugin/releases/download/${GITHUB_REF_NAME}/headlamp-polaris-plugin-${VERSION}.tar.gz\"|" artifacthub-pkg.yml
           sed -i "s|^version:.*|version: ${VERSION}|" artifacthub-pkg.yml
-          git config user.name "gitea-actions[bot]"
-          git config user.email "gitea-actions[bot]@git.farh.net"
           git add artifacthub-pkg.yml
           git diff --cached --quiet || {
             git commit -m "ci: update artifact hub metadata for ${GITHUB_REF_NAME}"

README.md

@@ -6,23 +6,28 @@ A [Headlamp](https://headlamp.dev/) plugin that surfaces [Fairwinds Polaris](htt
 
 ## What It Does
 
-Adds a **Polaris** sidebar entry to Headlamp that displays:
+Adds a **Polaris** top-level sidebar section to Headlamp with the following views:
 
-- **Cluster Score** -- overall Polaris score as a percentage (color-coded green/amber/red)
-- **Check Summary** -- total, pass, warning, and danger counts across all workloads
-- **Cluster Info** -- node, pod, namespace, and controller counts
+- **Overview** -- cluster score as a percentage (color-coded green/amber/red), check summary (pass/warning/danger/skipped counts), and cluster info (nodes, pods, namespaces, controllers)
+- **Namespaces** -- table of all namespaces with per-namespace score, pass/warning/danger/skipped counts; click a namespace to drill down
+- **Namespace detail** -- per-namespace score, check counts, and a resource table showing pass/warning/danger per workload
+- **External link** -- quick jump to the native Polaris dashboard via the Kubernetes service proxy (from namespace detail view)
 
-Data is read from the `ConfigMap/polaris-dashboard` in the `polaris` namespace (key: `dashboard.json`), which is created by the standard Polaris Helm chart. The plugin is read-only -- it never writes to the cluster.
+Data is fetched from the Polaris dashboard API through the Kubernetes service proxy (`/api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json`). The plugin is read-only -- it never writes to the cluster.
 
-Results are cached and refreshed on a user-configurable interval (1 / 5 / 10 / 30 minutes, default 5). The setting persists in the browser's localStorage.
+Results are refreshed on a user-configurable interval (1 / 5 / 10 / 30 minutes, default 5). The setting is available in **Settings > Plugins > Polaris** and persists in the browser's localStorage.
 
-Error states are handled explicitly: RBAC denied (403), Polaris not installed (404), malformed JSON, and loading.
+Error states are handled explicitly: RBAC denied (403), Polaris not installed (404/503), malformed JSON, and loading.
 
 ## Prerequisites
 
-- **Headlamp** >= v0.26 deployed in your cluster
-- **Polaris** installed via the [official Helm chart](https://github.com/FairwindsOps/polaris) with the dashboard component enabled
-- The Headlamp service account must have RBAC permission to `get` ConfigMaps in the `polaris` namespace
+| Requirement | Minimum version |
+|-------------|----------------|
+| Headlamp | v0.26+ |
+| Polaris (with dashboard enabled) | Any recent release |
+| Kubernetes | v1.24+ |
+
+Polaris must be deployed in the `polaris` namespace with the dashboard component enabled (`dashboard.enabled: true` in the Helm chart, which is the default). The plugin reads from the `polaris-dashboard` ClusterIP service on port 80.
 
 ## Installing
 
@@ -47,7 +52,7 @@ Add it as an init container in your Headlamp Helm values:
 ```yaml
 initContainers:
   - name: polaris-plugin
-    image: git.farh.net/farhoodliquor/headlamp-polaris-plugin:v0.0.1
+    image: git.farh.net/farhoodliquor/headlamp-polaris-plugin:latest
     command: ["sh", "-c", "cp -r /plugins/* /headlamp/plugins/"]
     volumeMounts:
       - name: plugins
@@ -67,7 +72,7 @@ volumeMounts:
 Download the `.tar.gz` from the [GitHub releases page](https://github.com/cpfarhood/headlamp-polaris-plugin/releases) or the [Gitea releases page](https://git.farh.net/farhoodliquor/headlamp-polaris-plugin/releases), then extract into Headlamp's plugin directory:
 
 ```bash
-tar xzf headlamp-polaris-plugin-0.0.1.tar.gz -C /headlamp/plugins/
+tar xzf headlamp-polaris-plugin-<version>.tar.gz -C /headlamp/plugins/
 ```
 
 ### Option 4: Build from source
@@ -78,35 +83,70 @@ npm run build
 npx @kinvolk/headlamp-plugin extract . /headlamp/plugins
 ```
 
-## RBAC
+## RBAC / Security Setup
 
-The plugin reads a single ConfigMap. Minimum RBAC required for the Headlamp service account:
+The plugin fetches audit data through the Kubernetes API server's **service proxy** sub-resource. The identity making the request (Headlamp's service account, or the user's own token in token-auth mode) must be granted:
+
+| Verb | API Group | Resource | Resource Name | Namespace |
+|------|-----------|----------|---------------|-----------|
+| `get` | `""` (core) | `services/proxy` | `polaris-dashboard` | `polaris` |
+
+### Minimal RBAC manifests
 
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
-  name: headlamp-polaris-reader
+  name: polaris-proxy-reader
+  namespace: polaris
 rules:
   - apiGroups: [""]
-    resources: ["configmaps"]
+    resources: ["services/proxy"]
     resourceNames: ["polaris-dashboard"]
     verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
-  name: headlamp-polaris-reader
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: headlamp-polaris-reader
+  name: headlamp-polaris-proxy
+  namespace: polaris
 subjects:
   - kind: ServiceAccount
-    name: headlamp
-    namespace: headlamp
+    name: headlamp              # adjust to match your Headlamp service account
+    namespace: kube-system      # adjust to match the namespace Headlamp runs in
+roleRef:
+  kind: Role
+  name: polaris-proxy-reader
+  apiGroup: rbac.authorization.k8s.io
 ```
 
+Apply with `kubectl apply -f polaris-rbac.yaml`.
+
+### Token-auth mode
+
+When Headlamp is configured for user-supplied tokens (rather than a fixed service account), **each user** must have the RoleBinding above attached to their own identity. A 403 error in the plugin means the currently logged-in user lacks this binding.
+
+### NetworkPolicy
+
+If the `polaris` namespace enforces network policies, ensure ingress is allowed from the Kubernetes API server (which performs the proxy hop) to `polaris-dashboard` on port 80.
+
+### Read-only access
+
+The plugin only performs `GET` requests through the service proxy. No `create`, `update`, `delete`, or `patch` verbs are required. Do not grant broader access than `get` on `services/proxy`.
+
+### Audit logging
+
+Every proxied request is recorded in Kubernetes API audit logs as a `get` on `services/proxy` in the `polaris` namespace. If the auto-refresh interval generates more audit volume than desired, increase the refresh interval in the plugin settings or adjust your audit policy.
+
+## Troubleshooting
+
+| Symptom | Likely cause | Fix |
+|---------|-------------|-----|
+| **403 Access Denied** | Missing RBAC binding for `services/proxy` | Apply the Role + RoleBinding from the RBAC section above |
+| **404 or 503** | Polaris not installed, or dashboard disabled | Install Polaris with `dashboard.enabled: true` in the `polaris` namespace |
+| **No data** | Polaris running but no workloads scanned yet | Wait for the next Polaris audit cycle or restart the Polaris pod |
+| **Stale data** | Refresh interval too long | Lower the interval in **Settings > Plugins > Polaris** |
+
 ## Development
 
 ### Setup
@@ -132,39 +172,45 @@ npm run build        # outputs dist/main.js
 npm run package      # creates headlamp-polaris-plugin-<version>.tar.gz
 ```
 
-### Type-check
+### Type-check, lint, format, and test
 
 ```bash
-npm run tsc
+npm run tsc          # type-check without emitting
+npm run lint         # eslint
+npm run format:check # prettier check
+npm test             # vitest unit tests
 ```
 
 ## Project Structure
 
 ```
 src/
-  index.tsx                  -- Entry point. Registers sidebar entry and route at /polaris.
+  index.tsx                           -- Entry point. Registers sidebar entries and routes.
   api/
-    polaris.ts               -- TypeScript types matching the Polaris AuditData schema,
-                                usePolarisData() hook with caching, countResults() utility,
-                                and refresh interval settings (localStorage).
+    polaris.ts                        -- TypeScript types (AuditData schema), usePolarisData hook,
+                                         countResults utilities, refresh interval settings.
+    polaris.test.ts                   -- Unit tests for utility functions (vitest).
+    PolarisDataContext.tsx             -- React context provider; shared data fetch across views.
   components/
-    PolarisView.tsx          -- Main page component. Score badge, check summary cards,
-                                cluster info, error states, refresh interval selector.
+    DashboardView.tsx                 -- Overview page (score, check summary with skipped, cluster info).
+    NamespacesListView.tsx            -- Namespace list with scores and links to detail views.
+    NamespaceDetailView.tsx           -- Per-namespace drill-down with resource table.
+    PolarisSettings.tsx               -- Plugin settings page (refresh interval selector).
+vitest.config.mts                     -- Vitest configuration (jsdom environment).
 ```
 
 ## Data Source
 
-The plugin reads from:
+The plugin fetches live audit results from the Polaris dashboard HTTP API via the Kubernetes service proxy:
 
-- **ConfigMap**: `polaris-dashboard`
-- **Namespace**: `polaris`
-- **Key**: `dashboard.json`
+```
+GET /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json
+```
 
-This ConfigMap is created automatically when Polaris is installed with the dashboard enabled. The JSON structure matches Polaris's `AuditData` schema (`pkg/validator/output.go`):
+This endpoint is served by the `polaris-dashboard` ClusterIP service, which is created by the Polaris Helm chart when `dashboard.enabled: true`. The JSON response matches Polaris's `AuditData` schema (`pkg/validator/output.go`):
 
 ```
 AuditData
-  Score            -- cluster score (0-100)
   ClusterInfo      -- nodes, pods, namespaces, controllers
   Results[]        -- per-workload results
     Results{}      -- top-level check results (ResultSet)
@@ -174,48 +220,38 @@ AuditData
         Results{}  -- container-level check results
 ```
 
-Each check in a `ResultSet` has `Success` (bool) and `Severity` (`"warning"` or `"danger"`).
+Each check in a `ResultSet` has `Success` (bool) and `Severity` (`"warning"`, `"danger"`, or `"ignore"`). Checks with `Severity: "ignore"` and `Success: false` are counted as skipped. The cluster score is computed client-side as `pass / total * 100`.
 
 ## Releasing
 
 Releases are automated via CI. To cut a release:
 
 ```bash
-# Bump version in package.json and artifacthub-pkg.yml, then:
-git add package.json package-lock.json artifacthub-pkg.yml
-git commit -m "chore: bump version to 0.0.2"
-git tag v0.0.2
-git push origin main v0.0.2
+# Bump version in package.json and artifacthub-pkg.yml (version + archive-url), then:
+git add package.json artifacthub-pkg.yml
+git commit -m "chore: bump version to X.Y.Z"
+git tag vX.Y.Z
+git push origin main vX.Y.Z
 ```
 
-This triggers two CI pipelines:
-
-**Gitea Actions** (`.gitea/workflows/release.yaml`):
+This triggers the **Gitea Actions** release workflow (`.gitea/workflows/release.yaml`):
 1. Build the plugin in a `node:20` container
 2. Package a `.tar.gz` tarball
 3. Build and push a Docker image to `git.farh.net/farhoodliquor/headlamp-polaris-plugin:{tag}` and `:latest`
 4. Create a Gitea release with the tarball attached
+5. Create a GitHub release with the same tarball (for Artifact Hub)
+6. Update `artifacthub-pkg.yml` checksum on main and force-move the tag to match
 
-**GitHub Actions** (`.github/workflows/release.yml`):
-1. Build and package the plugin
-2. Create a GitHub release with the tarball attached (required for Artifact Hub)
-
-The Gitea repo push-mirrors to GitHub automatically, so both pipelines trigger from a single `git push`.
+A guard step prevents infinite loops: if the release tarball checksum already matches the metadata, the build is skipped.
 
 ### CI secrets
 
 | Secret | Where | Purpose |
 |---|---|---|
 | `REGISTRY_TOKEN` | Gitea | Personal access token with `package:write` scope for Docker image push |
+| `GH_PAT` | Gitea | GitHub personal access token for creating GitHub releases |
 
-The Gitea release uses the built-in `github.token`. The GitHub release uses the default `GITHUB_TOKEN` with `contents: write` permission.
-
-### Updating Artifact Hub
-
-When releasing a new version, update `artifacthub-pkg.yml`:
-- `version` field
-- `headlamp/plugin/archive-url` annotation (update the version in the download URL)
-- `headlamp/plugin/archive-checksum` annotation (SHA256 of the new tarball, printed by the CI build)
+The Gitea release uses the built-in `github.token`. The `archive-checksum` in `artifacthub-pkg.yml` is updated automatically by the release workflow.
 
 ## Links
 

artifacthub-pkg.yml

@@ -1,8 +1,14 @@
-version: 0.0.9
+version: 0.1.3
 name: headlamp-polaris-plugin
 displayName: Polaris
 createdAt: "2026-02-05T19:00:00Z"
-description: Surfaces Fairwinds Polaris audit results inside the Headlamp UI.
+description: >-
+  Surfaces Fairwinds Polaris audit results inside the Headlamp UI.
+  Shows cluster score, check summary, and per-namespace drill-downs
+  with per-resource pass/warning/danger breakdowns. Data is fetched
+  read-only via the Kubernetes service proxy to the Polaris dashboard.
+  Requires a Role granting `get` on `services/proxy` for the
+  `polaris-dashboard` service in the `polaris` namespace.
 license: MIT
 homeURL: "https://github.com/cpfarhood/headlamp-polaris-plugin"
 category: security
@@ -22,7 +28,7 @@ maintainers:
   - name: cpfarhood
     email: "chris@farhood.org"
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/cpfarhood/headlamp-polaris-plugin/releases/download/v0.0.9/headlamp-polaris-plugin-0.0.9.tar.gz"
+  headlamp/plugin/archive-url: "https://github.com/cpfarhood/headlamp-polaris-plugin/releases/download/v0.1.3/headlamp-polaris-plugin-0.1.3.tar.gz"
   headlamp/plugin/version-compat: ">=0.26"
-  headlamp/plugin/archive-checksum: sha256:8f5b46dd6a2acae22a7dc5fe7d273b561aa5a7b08b32e029132d23c643b6837c
+  headlamp/plugin/archive-checksum: sha256:ddb92d40475d9c2ee1e755f4c83744529d86a1318dea729e6de8b4360d7890c7
   headlamp/plugin/distro-compat: in-cluster

claude.md

@@ -23,20 +23,75 @@ npx tsc --noEmit
 
 # Lint
 npx eslint src/
+
+# Run tests
+npm test
 ```
 
 ## Architecture
 
 ```
 src/
-├── index.tsx                    # Entry point: registerSidebarEntry + registerRoute for /polaris
+├── index.tsx                           # Entry point: registers sidebar entries + routes
 ├── api/
-│   └── polaris.ts               # Types (AuditData schema), usePolarisData hook, countResults utility, refresh settings
+│   ├── polaris.ts                      # Types (AuditData schema), usePolarisData hook, countResults utilities, refresh settings
+│   ├── polaris.test.ts                 # Unit tests for utility functions (vitest)
+│   └── PolarisDataContext.tsx           # React context provider for shared data fetch
 └── components/
-    └── PolarisView.tsx           # Main page: score badge, check summary, cluster info, error states, refresh interval selector
+    ├── DashboardView.tsx                # Overview page (score, check summary with skipped count, cluster info)
+    ├── NamespacesListView.tsx           # Namespace list with scores and links to detail views
+    ├── NamespaceDetailView.tsx          # Per-namespace drill-down with resource table
+    └── PolarisSettings.tsx              # Plugin settings (refresh interval selector)
 ```
 
-Single sidebar page at `/polaris`. Data is fetched via `ApiProxy.request` to the Polaris dashboard service proxy and refreshed on a user-configurable interval (stored in localStorage under `polaris-plugin-refresh-interval`, default 5 minutes). Score is computed from result counts (pass/total).
+Top-level sidebar section at `/polaris` with sub-routes for namespaces list (`/polaris/namespaces`) and per-namespace views (`/polaris/ns/:namespace`). Data is fetched via `ApiProxy.request` to the Polaris dashboard service proxy and refreshed on a user-configurable interval (stored in localStorage under `polaris-plugin-refresh-interval`, default 5 minutes). Score is computed from result counts (pass/total). Skipped checks are always displayed in summaries.
+
+**Sidebar limitation**: Headlamp's sidebar only supports 2-level nesting (parent → children). The `Collapse` component is driven by route-based selection, not click-to-toggle, so 3-level hierarchies don't expand properly. Namespace navigation is handled via the in-content table on the Namespaces page instead.
+
+## Security / RBAC Requirements
+
+The plugin reaches Polaris through the Kubernetes API server's service proxy sub-resource (`/api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/...`). The Headlamp service account (or the user's bearer token when Headlamp runs in token-auth mode) must be granted:
+
+| Verb | API Group | Resource | Resource Name | Namespace |
+|------|-----------|----------|---------------|-----------|
+| `get` | `""` (core) | `services/proxy` | `polaris-dashboard` | `polaris` |
+
+Minimal RBAC example:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: polaris-proxy-reader
+  namespace: polaris
+rules:
+  - apiGroups: [""]
+    resources: ["services/proxy"]
+    resourceNames: ["polaris-dashboard"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: headlamp-polaris-proxy
+  namespace: polaris
+subjects:
+  - kind: ServiceAccount
+    name: headlamp            # adjust to match your Headlamp SA
+    namespace: kube-system
+roleRef:
+  kind: Role
+  name: polaris-proxy-reader
+  apiGroup: rbac.authorization.k8s.io
+```
+
+Additional considerations:
+
+- **NetworkPolicy**: If the `polaris` namespace enforces network policies, allow ingress from the Headlamp pod (or the API server, since it performs the proxy hop) to `polaris-dashboard` on port 80.
+- **Polaris dashboard listen address**: The Polaris Helm chart exposes the dashboard on a ClusterIP service (`polaris-dashboard:80`). If the chart is installed with `dashboard.enabled: false`, the service will not be created, resulting in a 404 error for proxy requests.
+- **No write operations**: The plugin only performs `GET` requests through the proxy. No `create`, `update`, or `delete` verbs are required. Do not grant broader service proxy access than `get`.
+- **Token-auth mode**: When Headlamp is configured for user-supplied tokens (rather than a fixed service account), each user's own RBAC bindings must include the role above. A 403 from the plugin means the logged-in user lacks the binding.
+- **Audit logging**: Kubernetes API audit logs will record every proxied request as a `get` on `services/proxy` in the `polaris` namespace. Set an appropriate audit policy level if request volume from the auto-refresh interval is a concern.
 
 ## Key Constraints
 

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "headlamp-polaris-plugin",
-  "version": "0.0.9",
+  "version": "0.1.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "headlamp-polaris-plugin",
-      "version": "0.0.9",
+      "version": "0.1.1",
       "devDependencies": {
         "@kinvolk/headlamp-plugin": "^0.13.0"
       }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "headlamp-polaris-plugin",
-  "version": "0.0.9",
+  "version": "0.1.3",
   "description": "Headlamp plugin for Fairwinds Polaris audit results",
   "scripts": {
     "start": "headlamp-plugin start",
@@ -10,7 +10,9 @@
     "lint": "eslint --ext .ts,.tsx src/",
     "lint:fix": "eslint --ext .ts,.tsx --fix src/",
     "format": "prettier --write src/",
-    "format:check": "prettier --check src/"
+    "format:check": "prettier --check src/",
+    "test": "vitest run",
+    "test:watch": "vitest"
   },
   "devDependencies": {
     "@kinvolk/headlamp-plugin": "^0.13.0"

src/api/polaris.test.ts

@@ -0,0 +1,264 @@
+import { describe, expect, it, vi } from 'vitest';
+
+vi.mock('@kinvolk/headlamp-plugin/lib', () => ({
+  ApiProxy: { request: vi.fn() },
+}));
+
+import {
+  AuditData,
+  computeScore,
+  countResults,
+  countResultsForItems,
+  filterResultsByNamespace,
+  getNamespaces,
+  Result,
+  ResultCounts,
+} from './polaris';
+
+// --- Fixtures ---
+
+function makeResult(overrides: Partial<Result> = {}): Result {
+  return {
+    Name: 'my-deploy',
+    Namespace: 'default',
+    Kind: 'Deployment',
+    Results: {},
+    CreatedTime: '2025-01-01T00:00:00Z',
+    ...overrides,
+  };
+}
+
+function makeAuditData(results: Result[]): AuditData {
+  return {
+    PolarisOutputVersion: '1.0',
+    AuditTime: '2025-01-01T00:00:00Z',
+    SourceType: 'Cluster',
+    SourceName: 'test',
+    DisplayName: 'test',
+    ClusterInfo: { Version: '1.28', Nodes: 3, Pods: 10, Namespaces: 2, Controllers: 5 },
+    Results: results,
+  };
+}
+
+// --- computeScore ---
+
+describe('computeScore', () => {
+  it('returns 0 when total is 0', () => {
+    const counts: ResultCounts = { total: 0, pass: 0, warning: 0, danger: 0, skipped: 0 };
+    expect(computeScore(counts)).toBe(0);
+  });
+
+  it('returns 100 when all checks pass', () => {
+    const counts: ResultCounts = { total: 10, pass: 10, warning: 0, danger: 0, skipped: 0 };
+    expect(computeScore(counts)).toBe(100);
+  });
+
+  it('rounds to nearest integer', () => {
+    const counts: ResultCounts = { total: 3, pass: 1, warning: 1, danger: 1, skipped: 0 };
+    expect(computeScore(counts)).toBe(33);
+  });
+
+  it('includes skipped in total denominator', () => {
+    const counts: ResultCounts = { total: 10, pass: 5, warning: 2, danger: 1, skipped: 2 };
+    expect(computeScore(counts)).toBe(50);
+  });
+});
+
+// --- countResults / countResultsForItems ---
+
+describe('countResults', () => {
+  it('returns zero counts for empty results', () => {
+    const data = makeAuditData([]);
+    const counts = countResults(data);
+    expect(counts).toEqual({ total: 0, pass: 0, warning: 0, danger: 0, skipped: 0 });
+  });
+
+  it('counts top-level result set entries', () => {
+    const result = makeResult({
+      Results: {
+        check1: {
+          ID: 'check1',
+          Message: 'ok',
+          Details: [],
+          Success: true,
+          Severity: 'warning',
+          Category: 'Security',
+        },
+        check2: {
+          ID: 'check2',
+          Message: 'bad',
+          Details: [],
+          Success: false,
+          Severity: 'danger',
+          Category: 'Security',
+        },
+      },
+    });
+    const counts = countResults(makeAuditData([result]));
+    expect(counts.total).toBe(2);
+    expect(counts.pass).toBe(1);
+    expect(counts.danger).toBe(1);
+    expect(counts.warning).toBe(0);
+    expect(counts.skipped).toBe(0);
+  });
+
+  it('counts skipped (severity=ignore, success=false) entries', () => {
+    const result = makeResult({
+      Results: {
+        skipped1: {
+          ID: 'skipped1',
+          Message: 'skipped',
+          Details: [],
+          Success: false,
+          Severity: 'ignore',
+          Category: 'Security',
+        },
+      },
+    });
+    const counts = countResults(makeAuditData([result]));
+    expect(counts.total).toBe(1);
+    expect(counts.skipped).toBe(1);
+    expect(counts.pass).toBe(0);
+  });
+
+  it('counts PodResult and ContainerResults', () => {
+    const result = makeResult({
+      Results: {
+        top: {
+          ID: 'top',
+          Message: 'ok',
+          Details: [],
+          Success: true,
+          Severity: 'warning',
+          Category: 'Reliability',
+        },
+      },
+      PodResult: {
+        Name: 'pod-1',
+        Results: {
+          podCheck: {
+            ID: 'podCheck',
+            Message: 'warn',
+            Details: [],
+            Success: false,
+            Severity: 'warning',
+            Category: 'Reliability',
+          },
+        },
+        ContainerResults: [
+          {
+            Name: 'container-1',
+            Results: {
+              containerCheck: {
+                ID: 'containerCheck',
+                Message: 'danger',
+                Details: [],
+                Success: false,
+                Severity: 'danger',
+                Category: 'Security',
+              },
+            },
+          },
+        ],
+      },
+    });
+    const counts = countResults(makeAuditData([result]));
+    expect(counts.total).toBe(3);
+    expect(counts.pass).toBe(1);
+    expect(counts.warning).toBe(1);
+    expect(counts.danger).toBe(1);
+  });
+
+  it('aggregates across multiple results', () => {
+    const r1 = makeResult({
+      Name: 'deploy-a',
+      Results: {
+        c1: {
+          ID: 'c1',
+          Message: '',
+          Details: [],
+          Success: true,
+          Severity: 'warning',
+          Category: 'X',
+        },
+      },
+    });
+    const r2 = makeResult({
+      Name: 'deploy-b',
+      Results: {
+        c2: {
+          ID: 'c2',
+          Message: '',
+          Details: [],
+          Success: false,
+          Severity: 'warning',
+          Category: 'X',
+        },
+      },
+    });
+    const counts = countResults(makeAuditData([r1, r2]));
+    expect(counts.total).toBe(2);
+    expect(counts.pass).toBe(1);
+    expect(counts.warning).toBe(1);
+  });
+});
+
+describe('countResultsForItems', () => {
+  it('works on a subset of results', () => {
+    const results: Result[] = [
+      makeResult({
+        Results: {
+          a: {
+            ID: 'a',
+            Message: '',
+            Details: [],
+            Success: false,
+            Severity: 'danger',
+            Category: 'X',
+          },
+        },
+      }),
+    ];
+    const counts = countResultsForItems(results);
+    expect(counts.danger).toBe(1);
+    expect(counts.total).toBe(1);
+  });
+});
+
+// --- getNamespaces ---
+
+describe('getNamespaces', () => {
+  it('returns empty array for no results', () => {
+    expect(getNamespaces(makeAuditData([]))).toEqual([]);
+  });
+
+  it('returns sorted unique namespaces', () => {
+    const data = makeAuditData([
+      makeResult({ Namespace: 'beta' }),
+      makeResult({ Namespace: 'alpha' }),
+      makeResult({ Namespace: 'beta' }),
+      makeResult({ Namespace: 'gamma' }),
+    ]);
+    expect(getNamespaces(data)).toEqual(['alpha', 'beta', 'gamma']);
+  });
+});
+
+// --- filterResultsByNamespace ---
+
+describe('filterResultsByNamespace', () => {
+  it('returns only results matching the namespace', () => {
+    const data = makeAuditData([
+      makeResult({ Name: 'a', Namespace: 'ns1' }),
+      makeResult({ Name: 'b', Namespace: 'ns2' }),
+      makeResult({ Name: 'c', Namespace: 'ns1' }),
+    ]);
+    const filtered = filterResultsByNamespace(data, 'ns1');
+    expect(filtered).toHaveLength(2);
+    expect(filtered.map(r => r.Name)).toEqual(['a', 'c']);
+  });
+
+  it('returns empty array for non-existent namespace', () => {
+    const data = makeAuditData([makeResult({ Namespace: 'ns1' })]);
+    expect(filterResultsByNamespace(data, 'ns-missing')).toEqual([]);
+  });
+});

src/api/polaris.ts

@@ -61,6 +61,7 @@ export interface ResultCounts {
   pass: number;
   warning: number;
   danger: number;
+  skipped: number;
 }
 
 function countResultSet(rs: ResultSet, counts: ResultCounts): void {
@@ -69,6 +70,8 @@ function countResultSet(rs: ResultSet, counts: ResultCounts): void {
     counts.total++;
     if (msg.Success) {
       counts.pass++;
+    } else if (msg.Severity === 'ignore') {
+      counts.skipped++;
     } else if (msg.Severity === 'warning') {
       counts.warning++;
     } else if (msg.Severity === 'danger') {
@@ -78,7 +81,7 @@ function countResultSet(rs: ResultSet, counts: ResultCounts): void {
 }
 
 function countResultItems(results: Result[]): ResultCounts {
-  const counts: ResultCounts = { total: 0, pass: 0, warning: 0, danger: 0 };
+  const counts: ResultCounts = { total: 0, pass: 0, warning: 0, danger: 0, skipped: 0 };
   for (const result of results) {
     countResultSet(result.Results, counts);
     if (result.PodResult) {
@@ -138,6 +141,11 @@ export function setRefreshInterval(seconds: number): void {
   localStorage.setItem(STORAGE_KEY, String(seconds));
 }
 
+// --- Polaris dashboard proxy URL ---
+
+export const POLARIS_DASHBOARD_PROXY =
+  '/api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/';
+
 // --- Score computation ---
 
 export function computeScore(counts: ResultCounts): number {

src/components/DashboardView.tsx

@@ -1,6 +1,8 @@
 import {
   Loader,
   NameValueTable,
+  PercentageBar,
+  PercentageCircle,
   SectionBox,
   SectionHeader,
   StatusLabel,
@@ -9,44 +11,47 @@ import React from 'react';
 import { AuditData, computeScore, countResults, ResultCounts } from '../api/polaris';
 import { usePolarisDataContext } from '../api/PolarisDataContext';
 
-function scoreStatus(score: number): 'success' | 'warning' | 'error' {
-  if (score >= 80) return 'success';
-  if (score >= 50) return 'warning';
-  return 'error';
-}
+const COLORS = {
+  pass: '#4caf50',
+  warning: '#ff9800',
+  danger: '#f44336',
+  skipped: '#9e9e9e',
+};
 
 function OverviewSection(props: { data: AuditData; counts: ResultCounts }) {
-  const score = computeScore(props.counts);
-  const status = scoreStatus(score);
+  const { counts } = props;
+  const score = computeScore(counts);
+
+  const chartData = [
+    { name: 'Pass', value: counts.pass, fill: COLORS.pass },
+    { name: 'Warning', value: counts.warning, fill: COLORS.warning },
+    { name: 'Danger', value: counts.danger, fill: COLORS.danger },
+    { name: 'Skipped', value: counts.skipped, fill: COLORS.skipped },
+  ];
 
   return (
     <>
-      <SectionBox title="Score">
-        <NameValueTable
-          rows={[
-            {
-              name: 'Cluster Score',
-              value: <StatusLabel status={status}>{score}%</StatusLabel>,
-            },
-          ]}
-        />
+      <SectionBox title="Cluster Score">
+        <PercentageCircle data={chartData} total={counts.total} label={`${score}%`} />
       </SectionBox>
-      <SectionBox title="Check Summary">
+      <SectionBox title="Check Distribution">
+        <PercentageBar data={chartData} total={counts.total} />
         <NameValueTable
           rows={[
-            { name: 'Total Checks', value: String(props.counts.total) },
+            { name: 'Total Checks', value: String(counts.total) },
             {
               name: 'Pass',
-              value: <StatusLabel status="success">{props.counts.pass}</StatusLabel>,
+              value: <StatusLabel status="success">{counts.pass}</StatusLabel>,
             },
             {
               name: 'Warning',
-              value: <StatusLabel status="warning">{props.counts.warning}</StatusLabel>,
+              value: <StatusLabel status="warning">{counts.warning}</StatusLabel>,
             },
             {
               name: 'Danger',
-              value: <StatusLabel status="error">{props.counts.danger}</StatusLabel>,
+              value: <StatusLabel status="error">{counts.danger}</StatusLabel>,
             },
+            { name: 'Skipped', value: String(counts.skipped) },
           ]}
         />
       </SectionBox>
@@ -64,7 +69,7 @@ function OverviewSection(props: { data: AuditData; counts: ResultCounts }) {
   );
 }
 
-export default function PolarisView() {
+export default function DashboardView() {
   const { data, loading, error } = usePolarisDataContext();
 
   if (loading) {
@@ -75,7 +80,7 @@ export default function PolarisView() {
 
   return (
     <>
-      <SectionHeader title="Polaris" />
+      <SectionHeader title="Polaris — Overview" />
 
       {error && (
         <SectionBox title="Error">

src/components/DynamicSidebarRegistrar.tsx

@@ -1,29 +0,0 @@
-import { registerSidebarEntry } from '@kinvolk/headlamp-plugin/lib';
-import React from 'react';
-import { getNamespaces } from '../api/polaris';
-import { usePolarisDataContext } from '../api/PolarisDataContext';
-
-const registeredNamespaces = new Set<string>();
-
-export default function DynamicSidebarRegistrar() {
-  const { data } = usePolarisDataContext();
-
-  React.useEffect(() => {
-    if (!data) return;
-
-    const namespaces = getNamespaces(data);
-    for (const ns of namespaces) {
-      if (registeredNamespaces.has(ns)) continue;
-      registeredNamespaces.add(ns);
-      registerSidebarEntry({
-        parent: 'polaris',
-        name: `polaris-ns-${ns}`,
-        label: ns,
-        url: `/polaris/${ns}`,
-        icon: 'mdi:folder-outline',
-      });
-    }
-  }, [data]);
-
-  return null;
-}

src/components/NamespaceDetailView.tsx

@@ -12,6 +12,7 @@ import {
   computeScore,
   countResultsForItems,
   filterResultsByNamespace,
+  POLARIS_DASHBOARD_PROXY,
   Result,
   ResultCounts,
 } from '../api/polaris';
@@ -82,6 +83,21 @@ export default function NamespaceDetailView() {
     <>
       <SectionHeader title={`Polaris — ${namespace}`} />
 
+      <SectionBox title="External">
+        <NameValueTable
+          rows={[
+            {
+              name: 'Polaris Dashboard',
+              value: (
+                <a href={POLARIS_DASHBOARD_PROXY} target="_blank" rel="noopener noreferrer">
+                  View in Polaris Dashboard
+                </a>
+              ),
+            },
+          ]}
+        />
+      </SectionBox>
+
       <SectionBox title="Namespace Score">
         <NameValueTable
           rows={[
@@ -102,6 +118,10 @@ export default function NamespaceDetailView() {
               name: 'Danger',
               value: <StatusLabel status="error">{counts.danger}</StatusLabel>,
             },
+            {
+              name: 'Skipped',
+              value: String(counts.skipped),
+            },
           ]}
         />
       </SectionBox>

src/components/NamespacesListView.tsx

@@ -0,0 +1,135 @@
+import { Router } from '@kinvolk/headlamp-plugin/lib';
+import {
+  Loader,
+  NameValueTable,
+  SectionBox,
+  SectionHeader,
+  SimpleTable,
+  StatusLabel,
+} from '@kinvolk/headlamp-plugin/lib/CommonComponents';
+import React from 'react';
+import { Link } from 'react-router-dom';
+import {
+  computeScore,
+  countResultsForItems,
+  filterResultsByNamespace,
+  getNamespaces,
+} from '../api/polaris';
+import { usePolarisDataContext } from '../api/PolarisDataContext';
+
+function scoreStatus(score: number): 'success' | 'warning' | 'error' {
+  if (score >= 80) return 'success';
+  if (score >= 50) return 'warning';
+  return 'error';
+}
+
+interface NamespaceRow {
+  namespace: string;
+  score: number;
+  pass: number;
+  warning: number;
+  danger: number;
+  skipped: number;
+}
+
+export default function NamespacesListView() {
+  const { data, loading, error } = usePolarisDataContext();
+
+  if (loading) {
+    return <Loader title="Loading Polaris audit data..." />;
+  }
+
+  if (error) {
+    return (
+      <>
+        <SectionHeader title="Polaris — Namespaces" />
+        <SectionBox title="Error">
+          <NameValueTable
+            rows={[
+              {
+                name: 'Status',
+                value: <StatusLabel status="error">{error}</StatusLabel>,
+              },
+            ]}
+          />
+        </SectionBox>
+      </>
+    );
+  }
+
+  if (!data) {
+    return (
+      <>
+        <SectionHeader title="Polaris — Namespaces" />
+        <SectionBox title="No Data">
+          <NameValueTable rows={[{ name: 'Status', value: 'No Polaris audit results found.' }]} />
+        </SectionBox>
+      </>
+    );
+  }
+
+  const namespaces = getNamespaces(data);
+  const rows: NamespaceRow[] = namespaces.map(ns => {
+    const results = filterResultsByNamespace(data, ns);
+    const counts = countResultsForItems(results);
+    const score = computeScore(counts);
+    return {
+      namespace: ns,
+      score,
+      pass: counts.pass,
+      warning: counts.warning,
+      danger: counts.danger,
+      skipped: counts.skipped,
+    };
+  });
+
+  return (
+    <>
+      <SectionHeader title="Polaris — Namespaces" />
+      <SectionBox>
+        <SimpleTable
+          columns={[
+            {
+              label: 'Namespace',
+              getter: (row: NamespaceRow) => (
+                <Link
+                  to={Router.createRouteURL('polaris-namespace', {
+                    namespace: row.namespace,
+                  })}
+                >
+                  {row.namespace}
+                </Link>
+              ),
+            },
+            {
+              label: 'Score',
+              getter: (row: NamespaceRow) => (
+                <StatusLabel status={scoreStatus(row.score)}>{row.score}%</StatusLabel>
+              ),
+            },
+            {
+              label: 'Pass',
+              getter: (row: NamespaceRow) => <StatusLabel status="success">{row.pass}</StatusLabel>,
+            },
+            {
+              label: 'Warning',
+              getter: (row: NamespaceRow) => (
+                <StatusLabel status="warning">{row.warning}</StatusLabel>
+              ),
+            },
+            {
+              label: 'Danger',
+              getter: (row: NamespaceRow) => <StatusLabel status="error">{row.danger}</StatusLabel>,
+            },
+            {
+              label: 'Skipped',
+              getter: (row: NamespaceRow) => String(row.skipped),
+            },
+          ]}
+          data={rows}
+          emptyMessage="No namespaces found in Polaris audit data."
+        />
+      </SectionBox>
+    </>
+  );
+}

src/index.tsx

@@ -5,10 +5,12 @@ import {
 } from '@kinvolk/headlamp-plugin/lib';
 import React from 'react';
 import { PolarisDataProvider } from './api/PolarisDataContext';
-import DynamicSidebarRegistrar from './components/DynamicSidebarRegistrar';
+import DashboardView from './components/DashboardView';
 import NamespaceDetailView from './components/NamespaceDetailView';
+import NamespacesListView from './components/NamespacesListView';
 import PolarisSettings from './components/PolarisSettings';
-import PolarisView from './components/PolarisView';
+
+// --- Sidebar entries ---
 
 registerSidebarEntry({
   parent: null,
@@ -18,27 +20,55 @@ registerSidebarEntry({
   icon: 'mdi:shield-check',
 });
 
+registerSidebarEntry({
+  parent: 'polaris',
+  name: 'polaris-overview',
+  label: 'Overview',
+  url: '/polaris',
+  icon: 'mdi:view-dashboard',
+});
+
+registerSidebarEntry({
+  parent: 'polaris',
+  name: 'polaris-namespaces',
+  label: 'Namespaces',
+  url: '/polaris/namespaces',
+  icon: 'mdi:dns',
+});
+
+// --- Routes ---
+
 registerRoute({
   path: '/polaris',
-  sidebar: 'polaris',
+  sidebar: 'polaris-overview',
   name: 'polaris',
   exact: true,
   component: () => (
     <PolarisDataProvider>
-      <DynamicSidebarRegistrar />
-      <PolarisView />
+      <DashboardView />
     </PolarisDataProvider>
   ),
 });
 
 registerRoute({
-  path: '/polaris/:namespace',
-  sidebar: 'polaris',
+  path: '/polaris/namespaces',
+  sidebar: 'polaris-namespaces',
+  name: 'polaris-namespaces',
+  exact: true,
+  component: () => (
+    <PolarisDataProvider>
+      <NamespacesListView />
+    </PolarisDataProvider>
+  ),
+});
+
+registerRoute({
+  path: '/polaris/ns/:namespace',
+  sidebar: 'polaris-namespaces',
   name: 'polaris-namespace',
   exact: true,
   component: () => (
     <PolarisDataProvider>
-      <DynamicSidebarRegistrar />
       <NamespaceDetailView />
     </PolarisDataProvider>
   ),

vitest.config.mts

@@ -0,0 +1,8 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'jsdom',
+  },
+});