privilegedescalation-ceo[bot]
e2ae92648c
* docs: update Headlamp install namespace references from kube-system to headlamp Updates all documentation references to the Headlamp install namespace from kube-system to headlamp as part of PRI-433. In-scope files updated: - README.md, SECURITY.md - docs/getting-started/installation.md, quick-start.md, prerequisites.md - docs/deployment/helm.md, kubernetes.md, production.md - docs/troubleshooting/README.md, common-issues.md, rbac-issues.md - docs/user-guide/configuration.md, rbac-permissions.md - docs/TESTING.md, TROUBLESHOOTING.md, DEPLOYMENT.md Out-of-scope (unchanged): - Source files referencing upstream workload namespace - RBAC manifests describing Polaris namespace (polaris ns is unchanged) - NetworkPolicy namespaceSelector (API server runs in kube-system) - design-decisions.md and ARCHITECTURE.md (URL hashes refer to cluster namespaces, not Headlamp install ns) Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: correct RBAC manifest per QA review (PRI-555) - Remove rbac.authorization.k8s.io privilege escalation block - Fix orphaned comment from round 1 - Add EOF newline - Keep serviceaccounts/token for E2E auth (confirmed needed) - Namespace already correct (privilegedescalation-dev) Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs: replace hardcoded namespace with <your-namespace> placeholder Users choose their own namespace for Headlamp. Replace all hardcoded namespace references (headlamp, kube-system) in user-facing docs with <your-namespace> so users substitute their own value. Conventions: - Helm install: --namespace <your-namespace> --create-namespace - kubectl commands: -n <your-namespace> - YAML metadata: namespace: <your-namespace> - Prose: "the namespace where Headlamp is installed" Out-of-scope references left untouched: - kube-system in NetworkPolicy selectors (API server namespace) - polaris namespace references (upstream workload namespace) - Source code and test files Refs: PRI-433 Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs: fix remaining hardcoded headlamp namespace to <your-namespace> placeholder Prior commit was inconsistent — some files used <your-namespace> while DEPLOYMENT.md, TROUBLESHOOTING.md and several troubleshooting/user-guide docs still hardcoded headlamp as the namespace. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>
6.8 KiB
6.8 KiB
Prerequisites
Before installing the Headlamp Polaris Plugin, ensure your environment meets the following requirements.
Required Components
| Requirement | Minimum Version | Recommended Version |
|---|---|---|
| Kubernetes | v1.24+ | v1.28+ |
| Headlamp | v0.26+ | v0.39+ |
| Polaris (dashboard enabled) | Any recent release | Latest stable |
| Browser | Modern (ES2020+) | Latest Chrome/Firefox/Safari/Edge |
Polaris Requirements
The plugin requires Polaris to be deployed with the dashboard component enabled:
- Namespace:
polaris(default expected namespace) - Dashboard enabled:
dashboard.enabled: truein Helm chart (default) - Service:
polaris-dashboardClusterIP service on port 80
Verify Polaris Installation
# Check Polaris pods are running
kubectl -n polaris get pods
# Expected output:
# NAME READY STATUS RESTARTS AGE
# polaris-dashboard-xxxxxxxxx-xxxxx 1/1 Running 0 1h
# polaris-webhook-xxxxxxxxx-xxxxx 1/1 Running 0 1h
# Check Polaris dashboard service exists
kubectl -n polaris get svc polaris-dashboard
# Expected output:
# NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
# polaris-dashboard ClusterIP 10.96.xxx.xxx <none> 80/TCP 1h
# Test Polaris dashboard API
kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion
# Expected output:
# "1.0"
Install Polaris (if not present)
# Add Fairwinds Helm repository
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm repo update
# Install Polaris with dashboard enabled
helm install polaris fairwinds-stable/polaris \
--namespace polaris \
--create-namespace \
--set dashboard.enabled=true
# Wait for pods to be ready
kubectl -n polaris wait --for=condition=ready pod -l app.kubernetes.io/name=polaris --timeout=300s
Headlamp Requirements
Verify Headlamp Installation
# Check Headlamp is deployed
kubectl -n <your-namespace> get pods -l app.kubernetes.io/name=headlamp
# Expected output:
# NAME READY STATUS RESTARTS AGE
# headlamp-xxxxxxxxxx-xxxxx 1/1 Running 0 1h
# Check Headlamp version (must be v0.26+)
kubectl -n <your-namespace> get deployment headlamp -o jsonpath='{.spec.template.spec.containers[0].image}'
# Expected output:
# ghcr.io/headlamp-k8s/headlamp:v0.39.0 (or similar)
Install Headlamp (if not present)
# Add Headlamp Helm repository
helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
helm repo update
# Install Headlamp
helm install headlamp headlamp/headlamp \
--namespace <your-namespace> \
--set config.pluginsDir="/headlamp/plugins" \
--set pluginsManager.enabled=true
# Wait for pod to be ready
kubectl -n <your-namespace> wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
RBAC Requirements
The plugin requires permissions to access the Polaris dashboard via Kubernetes service proxy.
Required Permission
| Verb | API Group | Resource | Resource Name | Namespace |
|---|---|---|---|---|
get |
"" (core) |
services/proxy |
polaris-dashboard |
polaris |
Verify RBAC Permissions
# Test if Headlamp service account has permission
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:<your-namespace>:headlamp \
-n polaris \
--resource-name=polaris-dashboard
# Expected output: yes
# If "no", you need to create RBAC (see installation guide)
Network Requirements
Service Proxy Access
The plugin accesses Polaris through the Kubernetes API server's service proxy:
Headlamp Pod → Kubernetes API Server → Polaris Dashboard Service
Required network paths:
- Headlamp pod → Kubernetes API server (443)
- Kubernetes API server → Polaris dashboard service (80)
NetworkPolicy Considerations
If the polaris namespace has NetworkPolicies enabled, ensure the Kubernetes API server can reach the polaris-dashboard service on port 80.
Test Network Connectivity
# Test service proxy endpoint from API server
kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq . > /dev/null
# If successful, no output
# If failed, check NetworkPolicies and service status
Browser Requirements
The plugin uses modern JavaScript features and requires:
- ES2020+ support
- localStorage enabled
- JavaScript enabled
- Cookies enabled (for Headlamp session)
Tested Browsers
| Browser | Minimum Version |
|---|---|
| Chrome/Chromium | 80+ |
| Firefox | 75+ |
| Safari | 13.1+ |
| Edge | 80+ |
Optional Components
OIDC Authentication (for multi-user deployments)
If using Headlamp with OIDC authentication, each user must have RBAC permissions for service proxy access (see RBAC Permissions).
Ingress (for external access)
If exposing Headlamp externally, configure an Ingress with TLS:
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: headlamp.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: headlamp-tls
hosts:
- headlamp.example.com
Pre-Installation Checklist
Before proceeding to installation, verify:
- Kubernetes cluster v1.24+ running
- Polaris deployed in
polarisnamespace with dashboard enabled - Polaris dashboard service accessible via service proxy
- Headlamp v0.26+ deployed
- RBAC permissions configured (or ready to configure)
- Network connectivity between API server and Polaris dashboard
- Modern browser available
Next Steps
Once all prerequisites are met:
- Installation Guide - Choose installation method and deploy the plugin
- Quick Start - Get up and running in 5 minutes
- RBAC Permissions - Detailed RBAC configuration
Troubleshooting
If any prerequisite check fails, see:
- Troubleshooting Guide - Common issues and solutions
- RBAC Issues - Permission debugging
- Network Problems - Connectivity issues