privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
a0829c7d4ffe95755dbd58b6612929f523b0f671
headlamp-polaris-plugin/docs/troubleshooting/rbac-issues.md
T
Chris Farhood 57e1298d12 docs: standardize documentation structure (Phase 1) 
Implement Phase 1 of documentation standardization plan:

**New Documentation Structure:**
- docs/README.md - Documentation hub with quick links
- docs/getting-started/ - Installation, prerequisites, quick-start
- docs/deployment/ - Kubernetes, Helm, production guides
- docs/architecture/ - Overview, data-flow, design-decisions, ADR template
- docs/troubleshooting/ - Quick diagnosis, common issues, RBAC, network
- docs/development/ - Testing guide (moved from docs/TESTING.md)

**Granular Breakdown:**
- Split DEPLOYMENT.md → installation.md, kubernetes.md, helm.md, production.md
- Split ARCHITECTURE.md → overview.md, data-flow.md, design-decisions.md
- Split TROUBLESHOOTING.md → README.md, common-issues.md, rbac-issues.md, network-problems.md

**New Content:**
- Quick Start guide (5-minute setup)
- Prerequisites checklist
- Production deployment best practices
- ADR template and index
- Quick diagnosis table

**Updated:**
- README.md now links to new documentation structure
- All documentation cross-referenced with relative links

Implements standardization plan from docs/DOCUMENTATION_STANDARDIZATION_PLAN.md

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
2026-02-12 00:08:11 -05:00

105 lines
2.4 KiB
Markdown
Raw Blame History

# RBAC Issues
Troubleshooting RBAC permissions and 403 errors for the Headlamp Polaris Plugin.
## Overview
The plugin requires `get` permission on `services/proxy` resource for the `polaris-dashboard` service in the `polaris` namespace. Without this permission, you'll see 403 Forbidden errors.
## Common Scenarios
### 403 Forbidden Error
**Symptom:** Error loading Polaris data, "Access denied (403)" in UI
**Cause:** Missing or incorrect RBAC binding
**Solution:**
```bash
# 1. Verify RBAC resources exist
kubectl -n polaris get role polaris-proxy-reader
kubectl -n polaris get rolebinding headlamp-polaris-proxy
# If missing, apply RBAC:
kubectl apply -f - <<EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: polaris-proxy-reader
namespace: polaris
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["polaris-dashboard"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: headlamp-polaris-proxy
namespace: polaris
subjects:
- kind: ServiceAccount
name: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
apiGroup: rbac.authorization.k8s.io
EOF
```
### Token-Auth Mode
**Symptom:** 403 error when using Headlamp with user-supplied tokens
**Cause:** User's own identity lacks the RoleBinding
**Solution:**
Bind the Role to authenticated users or specific users/groups:
```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: users-polaris-proxy
namespace: polaris
subjects:
- kind: Group
name: system:authenticated # All authenticated users
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: polaris-proxy-reader
apiGroup: rbac.authorization.k8s.io
```
### Testing Permissions
```bash
# Test service account (in-cluster mode)
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
# Test user (token-auth mode)
kubectl auth can-i get services/proxy \
--as=user@example.com \
-n polaris \
--resource-name=polaris-dashboard
# Expected output: yes
```
For detailed RBAC configuration, see [RBAC Permissions](../user-guide/rbac-permissions.md).
## References
- [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
- [Service Proxy RBAC](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-services/)
Reference in New Issue View Git Blame Copy Permalink