privilegedescalation/headlamp-tns-csi-plugin
Archived
12
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases 13 Wiki Activity

docs: update install docs to headlamp namespace (PRI-434)

Browse Source 
- Update Helm/plugin install URLs from v0.2.4 to v1.0.0
- README: add pods/proxy RBAC scope, clarify controller is in kube-system
- docs/getting-started/*: update all download URLs to v1.0.0
- docs/deployment/helm.md: update install URLs to v1.0.0
- docs/architecture/overview.md: Headlamp Pod label → headlamp namespace
- docs/README.md: fix ArtifactHub URL
- CHANGELOG.md: add [Unreleased] entry

Note: driver/API-path references to kube-system are preserved
as they describe where the tns-csi controller workload runs,
not where Headlamp is installed.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-05-06 14:26:28 +00:00
committed by Gandalf the Greybeard [agent]
parent be254b1eec
commit 72ce7fa585
7 changed files with 25 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+8 -4
View File
@@ -63,12 +63,12 @@ config:
pluginsManager:
sources:
- name: tns-csi
url: https://github.com/privilegedescalation/headlamp-tns-csi-plugin/releases/download/v0.2.4/tns-csi-0.2.4.tar.gz
url: https://github.com/privilegedescalation/headlamp-tns-csi-plugin/releases/download/v1.0.0/tns-csi-1.0.0.tar.gz
```
## RBAC / Security Setup
The plugin reads from the Kubernetes API and the tns-csi controller pod's Prometheus endpoint. The Benchmark page additionally creates and deletes Jobs and PVCs.
The plugin reads from the Kubernetes API and the tns-csi controller pod's Prometheus endpoint (deployed in `kube-system`). The Benchmark page additionally creates and deletes Jobs and PVCs.
### Minimal read-only permissions
@@ -90,6 +90,10 @@ rules:
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/proxy"]
verbs: ["get"]
resourceNames: ["pods"]
```
### Additional permissions for Benchmark page
@@ -105,13 +109,13 @@ rules:
### Metrics access
The plugin fetches Prometheus metrics from the tns-csi controller pod via the Kubernetes pod proxy sub-resource. Grant `get` on `pods/proxy` in `kube-system`:
The plugin fetches Prometheus metrics from the tns-csi controller pod via the Kubernetes pod proxy sub-resource in `kube-system`. Grant `get` on `pods/proxy` scoped to `kube-system`:
```yaml
- apiGroups: [""]
resources: ["pods/proxy"]
verbs: ["get"]
# Optionally scope to the controller pod namespace
# Scope to kube-system where the tns-csi controller runs
```
Apply the role and bind it to your Headlamp service account with a ClusterRoleBinding.