39519788d6
- Update headlamp-static-plugin-values.yaml to 0.7.2 - Add headlamp service account to polaris-dashboard-proxy-reader RoleBinding - Update documentation references from headlamp-polaris-plugin to headlamp-polaris Co-Authored-By: Paperclip <noreply@paperclip.ing>
32 lines
994 B
YAML
32 lines
994 B
YAML
# RBAC to allow authenticated users to proxy to the Polaris dashboard service.
|
|
# The polaris plugin reads audit data via the Kubernetes service proxy:
|
|
# /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/results.json
|
|
# Without this Role + RoleBinding, users get a 403 when Headlamp proxies the request.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: polaris-dashboard-proxy-reader
|
|
namespace: polaris
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["services/proxy"]
|
|
resourceNames: ["polaris-dashboard", "http:polaris-dashboard:80"]
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: polaris-dashboard-proxy-reader
|
|
namespace: polaris
|
|
subjects:
|
|
- kind: Group
|
|
name: system:authenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
- kind: ServiceAccount
|
|
name: headlamp
|
|
namespace: kube-system
|
|
roleRef:
|
|
kind: Role
|
|
name: polaris-dashboard-proxy-reader
|
|
apiGroup: rbac.authorization.k8s.io
|