privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
Files
af42d9c52af8bbadb8f3681b6db520f2cf30d747
headlamp-polaris-plugin/docs/getting-started/installation.md
T
privilegedescalation-ceo[bot] e2ae92648c docs: replace hardcoded namespace with <your-namespace> placeholder 
* docs: update Headlamp install namespace references from kube-system to headlamp

Updates all documentation references to the Headlamp install namespace
from kube-system to headlamp as part of PRI-433.

In-scope files updated:
- README.md, SECURITY.md
- docs/getting-started/installation.md, quick-start.md, prerequisites.md
- docs/deployment/helm.md, kubernetes.md, production.md
- docs/troubleshooting/README.md, common-issues.md, rbac-issues.md
- docs/user-guide/configuration.md, rbac-permissions.md
- docs/TESTING.md, TROUBLESHOOTING.md, DEPLOYMENT.md

Out-of-scope (unchanged):
- Source files referencing upstream workload namespace
- RBAC manifests describing Polaris namespace (polaris ns is unchanged)
- NetworkPolicy namespaceSelector (API server runs in kube-system)
- design-decisions.md and ARCHITECTURE.md (URL hashes refer to cluster namespaces, not Headlamp install ns)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix: correct RBAC manifest per QA review (PRI-555)

- Remove rbac.authorization.k8s.io privilege escalation block
- Fix orphaned comment from round 1
- Add EOF newline
- Keep serviceaccounts/token for E2E auth (confirmed needed)
- Namespace already correct (privilegedescalation-dev)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* docs: replace hardcoded namespace with <your-namespace> placeholder

Users choose their own namespace for Headlamp. Replace all hardcoded
namespace references (headlamp, kube-system) in user-facing docs with
<your-namespace> so users substitute their own value.

Conventions:
- Helm install: --namespace <your-namespace> --create-namespace
- kubectl commands: -n <your-namespace>
- YAML metadata: namespace: <your-namespace>
- Prose: "the namespace where Headlamp is installed"

Out-of-scope references left untouched:
- kube-system in NetworkPolicy selectors (API server namespace)
- polaris namespace references (upstream workload namespace)
- Source code and test files

Refs: PRI-433

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* docs: fix remaining hardcoded headlamp namespace to <your-namespace> placeholder

Prior commit was inconsistent — some files used <your-namespace> while
DEPLOYMENT.md, TROUBLESHOOTING.md and several troubleshooting/user-guide
docs still hardcoded headlamp as the namespace.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-10 21:34:49 +00:00

10 KiB
Raw Blame History

Installation Guide

This guide covers all installation methods for the Headlamp Polaris Plugin.

Table of Contents

Prerequisites

Before installation, ensure all prerequisites are met:

  • Kubernetes v1.24+
  • Headlamp v0.26+ (v0.39+ recommended)
  • Polaris deployed with dashboard enabled
  • RBAC permissions configured

Installation Methods

Option 1: Plugin Manager (Recommended)

Best for: Production deployments, managed updates, ease of use

The plugin is published on Artifact Hub and can be installed via the Headlamp Plugin Manager.

Via Headlamp UI

  1. Navigate to Plugin Settings:

    • Open Headlamp in your browser
    • Go to Settings → Plugins
    • Click the Catalog tab

  2. Search and Install:

    • Search for "Polaris"
    • Find "Headlamp Polaris Plugin"
    • Click Install

  3. Hard Refresh Browser:

    • Mac: Cmd+Shift+R
    • Windows/Linux: Ctrl+Shift+R

  4. Verify Installation:

    • Sidebar should show "Polaris" entry
    • Click Polaris → Overview page loads

Via Helm Configuration

Add to your Headlamp Helm values:

# headlamp-values.yaml
config:
  pluginsDir: /headlamp/plugins

pluginsManager:
  enabled: true
  repositories:
    - https://artifacthub.io/packages/search?kind=4

Deploy or update Headlamp:

helm upgrade --install headlamp headlamp/headlamp \
  --namespace <your-namespace> \
  --values headlamp-values.yaml

Then install the plugin via Headlamp UI as described above.

Option 2: Sidecar Container

Best for: Controlled plugin versions, air-gapped environments, specific version pinning

This method uses an init container to download and install the plugin from a tarball URL.

Helm Values Configuration

# headlamp-values.yaml
config:
  pluginsDir: /headlamp/plugins

initContainers:
  - name: install-polaris-plugin
    image: node:lts-alpine
    command:
      - sh
      - -c
      - |
        npm install -g @kinvolk/headlamp-plugin
        headlamp-plugin install --config /config/plugin.yml --plugins-dir /plugins
    volumeMounts:
      - name: plugins
        mountPath: /plugins
      - name: plugin-config
        mountPath: /config

volumes:
  - name: plugins
    emptyDir: {}
  - name: plugin-config
    configMap:
      name: headlamp-plugin-config

Plugin Configuration ConfigMap

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: headlamp-plugin-config
  namespace: <your-namespace>
data:
  plugin.yml: |
    - name: headlamp-polaris-plugin
      version: 0.3.5
      url: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.3.10/polaris-0.3.10.tar.gz

Apply Configuration

# Create ConfigMap
kubectl apply -f headlamp-plugin-config.yaml

# Deploy/update Headlamp with sidecar
helm upgrade --install headlamp headlamp/headlamp \
  --namespace <your-namespace> \
  --values headlamp-values.yaml

# Wait for pod to be ready
kubectl -n <your-namespace> wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s

# Verify plugin files
kubectl -n <your-namespace> exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/

# Expected output:
# drwxr-xr-x  dist/
# -rw-r--r--  package.json

Option 3: Manual Tarball

Best for: Testing specific versions, offline installations

Download the plugin tarball and extract it into Headlamp's plugin directory.

Download and Extract

# Download latest release
VERSION=0.3.5
wget https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v${VERSION}/headlamp-polaris-plugin-${VERSION}.tar.gz

# Extract to plugin directory
tar xzf headlamp-polaris-plugin-${VERSION}.tar.gz -C /headlamp/plugins/

# Verify extraction
ls -la /headlamp/plugins/headlamp-polaris-plugin/

# Expected output:
# drwxr-xr-x  dist/
# -rw-r--r--  package.json

Kubernetes Volume Mount

If Headlamp runs in Kubernetes, mount the plugin directory as a volume:

# headlamp-values.yaml
config:
  pluginsDir: /plugins

volumes:
  - name: plugins
    hostPath:
      path: /path/to/plugins # Where you extracted the tarball
      type: Directory

volumeMounts:
  - name: plugins
    mountPath: /plugins
    readOnly: true

Note: This method is not recommended for production (hostPath is node-specific).

Option 4: Build from Source

Best for: Development, contributing, testing unreleased features

Clone the repository and build the plugin from source.

Clone and Build

# Clone repository
git clone https://github.com/privilegedescalation/headlamp-polaris-plugin.git
cd headlamp-polaris-plugin

# Install dependencies
npm install

# Build plugin
npm run build

# Package tarball (optional)
npm run package

# Extract to Headlamp plugin directory
npx @kinvolk/headlamp-plugin extract . /headlamp/plugins

Development Mode (Hot Reload)

For active development with hot reload:

# Start Headlamp with plugin hot reload
npm start

# Opens Headlamp at http://localhost:4466
# Changes to src/ automatically rebuild and reload

See Development Workflow for detailed development setup.

Post-Installation

After installing the plugin via any method:

1. Configure RBAC

Apply RBAC permissions for the plugin to access Polaris:

# Create polaris-plugin-rbac.yaml
cat <<EOF | kubectl apply -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: polaris-proxy-reader
  namespace: polaris
rules:
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["polaris-dashboard"]
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: headlamp-polaris-proxy
  namespace: polaris
subjects:
  - kind: ServiceAccount
    name: headlamp
    namespace: <your-namespace>
roleRef:
  kind: Role
  name: polaris-proxy-reader
  apiGroup: rbac.authorization.k8s.io
EOF

See RBAC Permissions for detailed RBAC configuration.

2. Restart Headlamp (if needed)

# If you updated Helm values or ConfigMaps
kubectl -n <your-namespace> rollout restart deployment/headlamp

# Wait for pod to be ready
kubectl -n <your-namespace> wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s

3. Clear Browser Cache

Critical: Hard refresh your browser to load the new plugin JavaScript:

  • Mac: Cmd+Shift+R
  • Windows/Linux: Ctrl+Shift+R

4. Verify Installation

UI Verification:

  1. Navigate to Settings → Plugins
  2. Verify "headlamp-polaris-plugin" is listed
  3. Check version matches installed version
  4. Verify Polaris appears in sidebar
  5. Click Polaris → Overview page loads
  6. Cluster score displays correctly

CLI Verification:

# Verify plugin files exist
kubectl -n <your-namespace> exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/

# Expected output:
# drwxr-xr-x  dist/
# -rw-r--r--  package.json

# Check Headlamp logs for errors
kubectl -n <your-namespace> logs deployment/headlamp | grep -i polaris

# Expected: No errors related to plugin loading

# Test Polaris API access
kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion

# Expected: "1.0" or similar

Troubleshooting

Plugin Not in Sidebar

Symptom: Plugin listed in Settings → Plugins but no "Polaris" entry in sidebar

Causes:

  1. Browser cache not cleared
  2. Plugin JavaScript failed to load
  3. Plugin files not properly installed

Solution:

# 1. Verify plugin files exist
kubectl -n <your-namespace> exec deployment/headlamp -c headlamp -- \
  ls -la /headlamp/plugins/headlamp-polaris-plugin/

# Expected: dist/, package.json present

# 2. Check Headlamp logs for plugin errors
kubectl -n <your-namespace> logs deployment/headlamp | grep -i polaris

# 3. Hard refresh browser (Cmd+Shift+R or Ctrl+Shift+R)

# 4. Check browser console for JavaScript errors
# Open DevTools → Console tab

403 Forbidden Error

Symptom: Error loading Polaris data, 403 in browser console

Cause: RBAC permissions missing or incorrect

Solution:

See RBAC Issues for detailed debugging.

404 Not Found Error

Symptom: Error loading Polaris data, 404 in browser console

Causes:

  1. Polaris not deployed
  2. Polaris service name incorrect
  3. Polaris namespace incorrect

Solution:

# Verify Polaris deployment
kubectl -n polaris get pods
kubectl -n polaris get svc polaris-dashboard

# If service doesn't exist, install Polaris:
helm install polaris fairwinds-stable/polaris \
  --namespace polaris \
  --create-namespace \
  --set dashboard.enabled=true

Plugin Version Mismatch

Symptom: Settings shows old version, ArtifactHub shows new version

Cause: ArtifactHub sync delay (30 minutes) or plugin manager cache

Solution:

# Wait 30 minutes for ArtifactHub sync
# Or manually force Headlamp restart:
kubectl -n <your-namespace> rollout restart deployment/headlamp

Next Steps

References

Reference in New Issue View Git Blame Copy Permalink