privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
Files
e2ae92648c84d54d2cd42faac603a7e20644ae30
headlamp-polaris-plugin/docs/user-guide/configuration.md
T
privilegedescalation-ceo[bot] e2ae92648c docs: replace hardcoded namespace with <your-namespace> placeholder 
* docs: update Headlamp install namespace references from kube-system to headlamp

Updates all documentation references to the Headlamp install namespace
from kube-system to headlamp as part of PRI-433.

In-scope files updated:
- README.md, SECURITY.md
- docs/getting-started/installation.md, quick-start.md, prerequisites.md
- docs/deployment/helm.md, kubernetes.md, production.md
- docs/troubleshooting/README.md, common-issues.md, rbac-issues.md
- docs/user-guide/configuration.md, rbac-permissions.md
- docs/TESTING.md, TROUBLESHOOTING.md, DEPLOYMENT.md

Out-of-scope (unchanged):
- Source files referencing upstream workload namespace
- RBAC manifests describing Polaris namespace (polaris ns is unchanged)
- NetworkPolicy namespaceSelector (API server runs in kube-system)
- design-decisions.md and ARCHITECTURE.md (URL hashes refer to cluster namespaces, not Headlamp install ns)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix: correct RBAC manifest per QA review (PRI-555)

- Remove rbac.authorization.k8s.io privilege escalation block
- Fix orphaned comment from round 1
- Add EOF newline
- Keep serviceaccounts/token for E2E auth (confirmed needed)
- Namespace already correct (privilegedescalation-dev)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* docs: replace hardcoded namespace with <your-namespace> placeholder

Users choose their own namespace for Headlamp. Replace all hardcoded
namespace references (headlamp, kube-system) in user-facing docs with
<your-namespace> so users substitute their own value.

Conventions:
- Helm install: --namespace <your-namespace> --create-namespace
- kubectl commands: -n <your-namespace>
- YAML metadata: namespace: <your-namespace>
- Prose: "the namespace where Headlamp is installed"

Out-of-scope references left untouched:
- kube-system in NetworkPolicy selectors (API server namespace)
- polaris namespace references (upstream workload namespace)
- Source code and test files

Refs: PRI-433

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* docs: fix remaining hardcoded headlamp namespace to <your-namespace> placeholder

Prior commit was inconsistent — some files used <your-namespace> while
DEPLOYMENT.md, TROUBLESHOOTING.md and several troubleshooting/user-guide
docs still hardcoded headlamp as the namespace.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-10 21:34:49 +00:00

413 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Configuration Guide
Customize the Headlamp Polaris Plugin to fit your environment.
## Plugin Settings
Access plugin settings via **Settings → Plugins → Polaris** in the Headlamp UI.
## Refresh Interval
**What it does:** Controls how often the plugin fetches the latest audit data from Polaris.
### Available Options
- **1 minute** - Most frequent updates, highest API load
- **5 minutes** - **Default**, balanced load and freshness
- **10 minutes** - Moderate refresh rate
- **30 minutes** - Light load, best for large clusters
### How to Change
1. Navigate to **Settings → Plugins → Polaris**
2. Click the **Refresh Interval** dropdown
3. Select your desired interval
4. Click **Save**
5. Changes take effect immediately (no browser refresh needed)
### Impact
**Affects:**
- Dashboard overview page
- Namespace list and detail views
- Inline audit sections on resource pages
- App bar score badge
**API Load:**
- Each refresh triggers one HTTP GET to Polaris dashboard
- Each request is logged in Kubernetes audit logs
- Longer intervals reduce API server and audit log pressure
### Performance Considerations
**For small clusters (<100 pods):**
- Recommended: 5 minutes (default)
- Acceptable: 1 minute (if real-time data is critical)
**For large clusters (>1000 pods):**
- Recommended: 10-30 minutes
- Reason: Reduces audit log volume and API server load
- Example: 10 users × 1-minute refresh = ~14,400 audit logs/day
- Example: 10 users × 30-minute refresh = ~480 audit logs/day
**For production environments:**
- Start with 5 minutes
- Monitor API server metrics and audit log volume
- Increase interval if needed
## Dashboard URL
**What it does:** Specifies which Polaris instance the plugin connects to.
### Default Configuration
**Service proxy path (default):**
```
/api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/
```
This uses the Kubernetes API server to proxy requests to the Polaris dashboard service in the `polaris` namespace.
**Advantages:**
- Uses existing Headlamp authentication (service account or user token)
- Works with Headlamp's OIDC and token-auth modes
- No additional RBAC or network configuration needed
- Respects Kubernetes NetworkPolicies
### Custom URL Scenarios
#### External Polaris (HTTPS)
If Polaris is deployed outside the cluster with an external URL:
```
https://polaris.example.com/
```
**Requirements:**
- Polaris dashboard must be accessible from browser
- CORS must be configured on Polaris to allow Headlamp origin
- HTTPS recommended for production
#### Custom Namespace
If Polaris is deployed in a different namespace:
```
/api/v1/namespaces/custom-namespace/services/polaris-dashboard:80/proxy/
```
**Requirements:**
- Update RBAC Role namespace to match
- Service name must still be `polaris-dashboard` (or adjust in URL)
#### Non-Standard Port
If Polaris dashboard uses a different port:
```
/api/v1/namespaces/polaris/services/polaris-dashboard:8080/proxy/
```
#### Local Development
For local Polaris development instance:
```
http://localhost:8080/
```
**Note:** Browser may block mixed content (HTTPS Headlamp → HTTP Polaris).
### How to Change Dashboard URL
1. Navigate to **Settings → Plugins → Polaris**
2. Update the **Dashboard URL** field
3. Click **Test Connection** to verify (recommended)
4. Click **Save** if connection test succeeds
### Connection Testing
**What it does:** Verifies the plugin can reach the Polaris dashboard and fetch audit data.
**To test:**
1. Enter Dashboard URL in settings
2. Click **Test Connection**
3. Wait for response (2-5 seconds)
**Success Response:**
```
✓ Connected to Polaris v4.2.0
```
**Error Responses:**
| Error | Meaning | Solution |
| --------------------------- | ------------------------- | ----------------------------------------------------------- |
| **403 Forbidden** | RBAC permission denied | Check RBAC bindings (see [RBAC Guide](rbac-permissions.md)) |
| **404 Not Found** | Polaris service not found | Verify Polaris is running: `kubectl get svc -n polaris` |
| **503 Service Unavailable** | Polaris pod not ready | Check pod status: `kubectl get pods -n polaris` |
| **Network Error** | Cannot reach URL | Check URL format, CORS (for external), NetworkPolicies |
| **CORS Error** | Cross-origin blocked | Configure Polaris dashboard CORS headers |
### CORS Configuration (External Polaris)
If using an external Polaris URL, configure CORS to allow Headlamp origin.
**Polaris Helm values:**
```yaml
dashboard:
enabled: true
env:
- name: CORS_ALLOWED_ORIGINS
value: 'https://headlamp.example.com'
```
**Test CORS:**
```bash
curl -v -H "Origin: https://headlamp.example.com" \
https://polaris.example.com/results.json \
| grep -i "access-control"
# Expected:
# Access-Control-Allow-Origin: https://headlamp.example.com
```
## Advanced Configuration
### Persistent Settings Storage
Plugin settings are stored in browser **localStorage**:
**Keys:**
- `polaris-plugin-refresh-interval` - Refresh interval in seconds (number)
- `polaris-plugin-dashboard-url` - Dashboard URL (string)
**View settings:**
```javascript
// Open browser DevTools Console (F12)
console.log('Refresh Interval:', localStorage.getItem('polaris-plugin-refresh-interval'));
console.log('Dashboard URL:', localStorage.getItem('polaris-plugin-dashboard-url'));
```
**Reset to defaults:**
```javascript
// Open browser DevTools Console (F12)
localStorage.removeItem('polaris-plugin-refresh-interval');
localStorage.removeItem('polaris-plugin-dashboard-url');
// Hard refresh browser: Cmd+Shift+R (Mac) or Ctrl+Shift+R (Windows/Linux)
```
**Notes:**
- Settings are per-browser, per-user
- Private/incognito mode may clear settings on browser close
- Settings are NOT synced across devices
## Configuration Best Practices
### For Development Clusters
**Recommended Settings:**
- **Refresh Interval:** 1-5 minutes (faster feedback loop)
- **Dashboard URL:** Service proxy (default)
**Why:** Development clusters are typically small, so API load is minimal. Faster refresh helps catch issues quickly during development.
### For Staging Clusters
**Recommended Settings:**
- **Refresh Interval:** 5-10 minutes (balanced)
- **Dashboard URL:** Service proxy (default)
**Why:** Staging should mirror production configuration. 5-10 minutes provides reasonable freshness without excessive load.
### For Production Clusters
**Recommended Settings:**
- **Refresh Interval:** 10-30 minutes (reduce load)
- **Dashboard URL:** Service proxy (default)
**Why:** Production clusters are larger and more critical. Longer intervals reduce audit log volume and API pressure. Polaris audits typically run every 10-30 minutes anyway, so more frequent plugin refreshes don't provide much value.
### For Multi-Tenant Environments
**Recommended Settings:**
- **Refresh Interval:** 10-30 minutes (minimize per-user load)
- **Dashboard URL:** Service proxy with per-namespace RBAC
**Why:** Many concurrent Headlamp users can create significant API load. Longer intervals prevent thundering herd issues.
### For External Polaris
**Recommended Settings:**
- **Refresh Interval:** 5-10 minutes (depends on network latency)
- **Dashboard URL:** `https://polaris.example.com/`
- **CORS:** Must be configured on Polaris side
**Why:** External Polaris avoids Kubernetes service proxy overhead but requires CORS configuration and network accessibility.
## Troubleshooting Configuration
### Settings Not Saving
**Symptom:** Changes to settings revert after clicking Save
**Possible Causes:**
1. Browser blocks localStorage (privacy mode)
2. Browser extension interfering
3. JavaScript error in console
**Solution:**
1. Open browser DevTools Console (F12)
2. Check for JavaScript errors
3. Disable privacy mode or try different browser
4. Check if localStorage is enabled:
```javascript
console.log('localStorage available:', typeof localStorage !== 'undefined');
```
### Settings Lost After Browser Restart
**Symptom:** Settings reset to defaults when you reopen browser
**Cause:** Browser privacy settings clear localStorage on exit
**Solution:**
- Use normal browsing mode (not private/incognito)
- Check browser settings for "Clear data on exit"
- Consider requesting ConfigMap-based settings (future feature)
### Connection Test Fails
**Symptom:** Test Connection button shows error
**Solutions by error type:**
**403 Forbidden:**
```bash
# Verify RBAC exists
kubectl -n polaris get role polaris-proxy-reader
kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:<your-namespace>:headlamp \
-n polaris \
--resource-name=polaris-dashboard
```
**404 Not Found:**
```bash
# Verify Polaris is running
kubectl -n polaris get pods
kubectl -n polaris get svc polaris-dashboard
# If missing, install Polaris
helm install polaris fairwinds-stable/polaris \
--namespace polaris \
--create-namespace \
--set dashboard.enabled=true
```
**503 Service Unavailable:**
```bash
# Check pod status
kubectl -n polaris get pods
# Check pod logs
kubectl -n polaris logs deployment/polaris-dashboard
```
**Network Error / CORS:**
```bash
# For external Polaris, test CORS
curl -v -H "Origin: https://headlamp.example.com" \
https://polaris.example.com/results.json
# Check for Access-Control-Allow-Origin header
```
### Refresh Interval Not Working
**Symptom:** Data doesn't refresh automatically
**Check:**
1. Verify setting is saved (localStorage key exists)
2. Check browser console for errors
3. Verify Polaris is returning data (manual refresh works)
4. Ensure you're on a Polaris plugin page (not other Headlamp pages)
**Debug:**
```javascript
// Check refresh interval
console.log(localStorage.getItem('polaris-plugin-refresh-interval'));
// Should return: "300" (5 minutes), "600" (10 minutes), etc.
```
## Configuration Checklist
Before going to production, verify:
- [ ] Refresh interval set appropriately (10-30 min for large clusters)
- [ ] Dashboard URL tested and working
- [ ] Connection test passes
- [ ] RBAC permissions granted (see [RBAC Guide](rbac-permissions.md))
- [ ] NetworkPolicies allow API server → Polaris (if using network policies)
- [ ] CORS configured (if using external Polaris)
- [ ] Browser localStorage enabled
- [ ] Settings persist across browser restarts
## Future Configuration Options
**Planned features:**
- ConfigMap-based settings (server-side, not localStorage)
- Per-cluster settings (multi-cluster Headlamp support)
- Webhook notifications for score changes
- Custom check severity overrides
- Exemption management UI (requires RBAC PATCH permission)
## Next Steps
- **[Features Guide](features.md)** - Learn about all plugin features
- **[RBAC Permissions](rbac-permissions.md)** - Configure advanced RBAC for token-auth, OIDC
- **[Troubleshooting](../troubleshooting/README.md)** - Diagnose common configuration issues
## References
- [Polaris Configuration](https://polaris.docs.fairwinds.com/customization/checks/)
- [Kubernetes Service Proxy](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-services/)
- [CORS Documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
Reference in New Issue View Git Blame Copy Permalink