From 2e2713fd3fd51f6ad93fd8e874d77c7eae2ab9f0 Mon Sep 17 00:00:00 2001
From: "privilegedescalation-ceo[bot]"
 <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com>
Date: Sun, 10 May 2026 21:34:56 +0000
Subject: [PATCH] docs: replace hardcoded namespace with <your-namespace>
 placeholder

Users choose their own namespace for Headlamp. Replace all hardcoded
kube-system references that indicate Headlamp's install namespace with
<your-namespace> so users substitute their own value.

Upstream workload references left untouched:
- tns-csi controller pods in kube-system (upstream CSI driver)
- NetworkPolicy selectors targeting kube-system
- API server proxy paths to kube-system pods

Refs: PRI-434

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 SECURITY.md                          |  6 +++---
 docs/deployment/helm.md              | 14 +++++++-------
 docs/getting-started/installation.md |  2 +-
 docs/getting-started/quick-start.md  |  6 +++---
 docs/troubleshooting/README.md       |  4 ++--
 docs/troubleshooting/benchmark.md    |  4 ++--
 docs/troubleshooting/metrics.md      |  2 +-
 docs/troubleshooting/rbac.md         |  6 +++---
 docs/user-guide/rbac.md              |  4 ++--
 9 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index d03536f..ddb626a 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -91,7 +91,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: headlamp
-    namespace: kube-system   # adjust to your Headlamp namespace
+    namespace: <your-namespace>
 roleRef:
   kind: ClusterRole
   name: headlamp-tns-csi-reader
@@ -143,7 +143,7 @@ The Kubernetes API server performs the pod proxy hop, so policies should permit
 
 ### Service Account (Default)
 
-Headlamp runs with a dedicated service account (`headlamp` in `kube-system`). All users share the same RBAC permissions.
+Headlamp runs with a dedicated service account (`headlamp` in the namespace where Headlamp is installed). All users share the same RBAC permissions.
 
 **Security Considerations:**
 - All users have identical access to plugin functionality including Benchmark
@@ -223,7 +223,7 @@ All API requests are logged in Kubernetes API audit logs (if enabled). Pod proxy
   "verb": "get",
   "requestURI": "/api/v1/namespaces/kube-system/pods/<controller-pod>/proxy/metrics",
   "user": {
-    "username": "system:serviceaccount:kube-system:headlamp"
+    "username": "system:serviceaccount:<your-namespace>:headlamp"
   }
 }
 ```
diff --git a/docs/deployment/helm.md b/docs/deployment/helm.md
index a4a2e55..a853b05 100644
--- a/docs/deployment/helm.md
+++ b/docs/deployment/helm.md
@@ -9,7 +9,7 @@ helm repo add headlamp https://headlamp-k8s.github.io/headlamp/
 helm repo update
 
 helm install headlamp headlamp/headlamp \
-  --namespace kube-system \
+  --namespace <your-namespace> \
   --create-namespace \
   --set config.pluginsDir=/headlamp/plugins \
   --set pluginsManager.sources[0].name=tns-csi \
@@ -44,7 +44,7 @@ Apply:
 
 ```bash
 helm install headlamp headlamp/headlamp \
-  --namespace kube-system \
+  --namespace <your-namespace> \
   -f headlamp-values.yaml
 ```
 
@@ -55,7 +55,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: headlamp
-  namespace: kube-system
+  namespace: <your-namespace>
 spec:
   interval: 12h
   url: https://headlamp-k8s.github.io/headlamp/
@@ -64,7 +64,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: headlamp
-  namespace: kube-system
+  namespace: <your-namespace>
 spec:
   interval: 1h
   chart:
@@ -74,7 +74,7 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: headlamp
-        namespace: kube-system
+        namespace: <your-namespace>
   values:
     config:
       pluginsDir: /headlamp/plugins
@@ -122,7 +122,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: headlamp
-    namespace: kube-system
+    namespace: <your-namespace>
 roleRef:
   kind: ClusterRole
   name: headlamp-tns-csi-reader
@@ -136,7 +136,7 @@ To upgrade to a new plugin version, update the `url` in your values and apply:
 
 ```bash
 helm upgrade headlamp headlamp/headlamp \
-  --namespace kube-system \
+  --namespace <your-namespace> \
   -f headlamp-values.yaml
 ```
 
diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md
index 2888d44..c41d943 100644
--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -32,7 +32,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: headlamp
-  namespace: kube-system
+  namespace: <your-namespace>
 spec:
   chart:
     spec:
diff --git a/docs/getting-started/quick-start.md b/docs/getting-started/quick-start.md
index 71eba84..5813547 100644
--- a/docs/getting-started/quick-start.md
+++ b/docs/getting-started/quick-start.md
@@ -34,7 +34,7 @@ pluginsManager:
 Then upgrade your Headlamp release:
 
 ```bash
-helm upgrade headlamp headlamp/headlamp -f values.yaml -n kube-system
+helm upgrade headlamp headlamp/headlamp -f values.yaml -n <your-namespace>
 ```
 
 ## Step 2: Configure RBAC
@@ -70,7 +70,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: headlamp
-    namespace: kube-system
+    namespace: <your-namespace>
 roleRef:
   kind: ClusterRole
   name: headlamp-tns-csi-reader
@@ -78,7 +78,7 @@ roleRef:
 EOF
 ```
 
-Adjust `name: headlamp` and `namespace: kube-system` to match your Headlamp service account.
+Adjust `name: headlamp` and `namespace: <your-namespace>` to match your Headlamp service account.
 
 ## Step 3: Verify
 
diff --git a/docs/troubleshooting/README.md b/docs/troubleshooting/README.md
index 0388650..c473163 100644
--- a/docs/troubleshooting/README.md
+++ b/docs/troubleshooting/README.md
@@ -77,7 +77,7 @@ If a page shows a loading spinner indefinitely:
 
 1. **Check browser console** for errors (F12 → Console)
 2. **Check network tab** for failed API requests (look for 403, 404, 500)
-3. **Check Headlamp pod logs**: `kubectl logs -n kube-system -l app.kubernetes.io/name=headlamp`
+3. **Check Headlamp pod logs**: `kubectl logs -n <your-namespace> -l app.kubernetes.io/name=headlamp`
 4. **Try refreshing** — the watch connection may have been interrupted
 
 ## Common API Errors
@@ -102,7 +102,7 @@ Look for errors related to `tns-csi`, `headlamp-plugin`, or Kubernetes API paths
 **Headlamp pod logs:**
 
 ```bash
-kubectl logs -n kube-system -l app.kubernetes.io/name=headlamp --tail=100
+kubectl logs -n <your-namespace> -l app.kubernetes.io/name=headlamp --tail=100
 ```
 
 **tns-csi controller logs:**
diff --git a/docs/troubleshooting/benchmark.md b/docs/troubleshooting/benchmark.md
index 6bae6d1..1ac6742 100644
--- a/docs/troubleshooting/benchmark.md
+++ b/docs/troubleshooting/benchmark.md
@@ -8,10 +8,10 @@ The Benchmark page requires permissions to create and delete Jobs and PVCs:
 
 ```bash
 kubectl auth can-i create jobs -n <benchmark-namespace> \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:<your-namespace>:headlamp
 
 kubectl auth can-i create persistentvolumeclaims -n <benchmark-namespace> \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:<your-namespace>:headlamp
 ```
 
 Apply the additional permissions if missing — see [RBAC Issues](rbac.md) or [SECURITY.md](../../SECURITY.md).
diff --git a/docs/troubleshooting/metrics.md b/docs/troubleshooting/metrics.md
index b66c813..5a5dfbc 100644
--- a/docs/troubleshooting/metrics.md
+++ b/docs/troubleshooting/metrics.md
@@ -47,7 +47,7 @@ This requires `get` on `pods/proxy` in `kube-system`:
 ```bash
 kubectl auth can-i get pods/proxy \
   -n kube-system \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:<your-namespace>:headlamp
 ```
 
 ### 5. Network Policies
diff --git a/docs/troubleshooting/rbac.md b/docs/troubleshooting/rbac.md
index 1663e46..e03eb2d 100644
--- a/docs/troubleshooting/rbac.md
+++ b/docs/troubleshooting/rbac.md
@@ -11,16 +11,16 @@ Use `kubectl auth can-i` to check specific permissions:
 ```bash
 # Check if the Headlamp service account can list StorageClasses
 kubectl auth can-i list storageclasses \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:<your-namespace>:headlamp
 
 # Check pod proxy access (for metrics)
 kubectl auth can-i get pods/proxy \
   -n kube-system \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:<your-namespace>:headlamp
 
 # Check snapshot access
 kubectl auth can-i list volumesnapshots \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:<your-namespace>:headlamp
 ```
 
 ### Applying the Required RBAC
diff --git a/docs/user-guide/rbac.md b/docs/user-guide/rbac.md
index d06fb48..4290cb9 100644
--- a/docs/user-guide/rbac.md
+++ b/docs/user-guide/rbac.md
@@ -47,7 +47,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: headlamp          # adjust to your Headlamp service account name
-    namespace: kube-system  # adjust to your Headlamp namespace
+    namespace: <your-namespace>
 roleRef:
   kind: ClusterRole
   name: headlamp-tns-csi-reader
@@ -99,7 +99,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: headlamp
-    namespace: kube-system
+    namespace: <your-namespace>
 roleRef:
   kind: Role
   name: headlamp-tns-csi-benchmark