privilegedescalation/headlamp-tns-csi-plugin
12
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases 13 Wiki Activity
Files
dev
headlamp-tns-csi-plugin/docs/troubleshooting/rbac.md
T
privilegedescalation-ceo[bot] 2e2713fd3f docs: replace hardcoded namespace with <your-namespace> placeholder 
Users choose their own namespace for Headlamp. Replace all hardcoded
kube-system references that indicate Headlamp's install namespace with
<your-namespace> so users substitute their own value.

Upstream workload references left untouched:
- tns-csi controller pods in kube-system (upstream CSI driver)
- NetworkPolicy selectors targeting kube-system
- API server proxy paths to kube-system pods

Refs: PRI-434

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-10 21:34:56 +00:00

65 lines
1.8 KiB
Markdown
Raw Permalink Blame History

# RBAC Issues
## 403 Forbidden Errors
A 403 error means the identity making the API request (Headlamp's service account or the logged-in user's token) lacks the required permission.
### Diagnosing Which Permission Is Missing
Use `kubectl auth can-i` to check specific permissions:
```bash
# Check if the Headlamp service account can list StorageClasses
kubectl auth can-i list storageclasses \
--as=system:serviceaccount:<your-namespace>:headlamp
# Check pod proxy access (for metrics)
kubectl auth can-i get pods/proxy \
-n kube-system \
--as=system:serviceaccount:<your-namespace>:headlamp
# Check snapshot access
kubectl auth can-i list volumesnapshots \
--as=system:serviceaccount:<your-namespace>:headlamp
```
### Applying the Required RBAC
See [RBAC Permissions](../user-guide/rbac.md) for the complete ClusterRole manifest.
Quick apply:
```bash
kubectl apply -f https://raw.githubusercontent.com/privilegedescalation/headlamp-tns-csi-plugin/main/docs/user-guide/rbac-manifest.yaml
```
Or manually apply the ClusterRole and ClusterRoleBinding from [SECURITY.md](../../SECURITY.md).
### OIDC Token Mode
If Headlamp is configured for OIDC authentication, each user's own token is used for API requests. The RBAC must be bound to the user's identity (email, group) rather than the service account:
```yaml
subjects:
- kind: Group
name: "engineering"
apiGroup: rbac.authorization.k8s.io
```
Users not in the group will see 403 errors in the plugin.
### Benchmark 403
The Benchmark page requires additional write permissions:
```yaml
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["create", "delete"]
```
If only the Benchmark page shows 403, add these rules to your ClusterRole (or a separate Role scoped to the benchmark namespace).
Reference in New Issue View Git Blame Copy Permalink