privilegedescalation/headlamp-tns-csi-plugin
Archived
12
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases 13 Wiki Activity
This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
11cbe6d7e0f7157db3a9f0190a6dcd25d5e89dbc
headlamp-tns-csi-plugin/docs/troubleshooting/rbac.md
T
Chris Farhood 11cbe6d7e0 docs: migrate Headlamp install namespace from kube-system to headlamp 
Doc-only: redirect all references to Headlamp's own install
namespace from kube-system to headlamp, except:
- Driver namespace (CLAUDE.md) stays kube-system (upstream)
- CSI controller API paths (docs/architecture/overview.md) stay
  kube-system (upstream workload)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-06 14:09:48 +00:00

65 lines
1.8 KiB
Markdown
Raw Blame History

# RBAC Issues
## 403 Forbidden Errors
A 403 error means the identity making the API request (Headlamp's service account or the logged-in user's token) lacks the required permission.
### Diagnosing Which Permission Is Missing
Use `kubectl auth can-i` to check specific permissions:
```bash
# Check if the Headlamp service account can list StorageClasses
kubectl auth can-i list storageclasses \
--as=system:serviceaccount:headlamp:headlamp
# Check pod proxy access (for metrics)
kubectl auth can-i get pods/proxy \
-n kube-system \
--as=system:serviceaccount:headlamp:headlamp
# Check snapshot access
kubectl auth can-i list volumesnapshots \
--as=system:serviceaccount:headlamp:headlamp
```
### Applying the Required RBAC
See [RBAC Permissions](../user-guide/rbac.md) for the complete ClusterRole manifest.
Quick apply:
```bash
kubectl apply -f https://raw.githubusercontent.com/privilegedescalation/headlamp-tns-csi-plugin/main/docs/user-guide/rbac-manifest.yaml
```
Or manually apply the ClusterRole and ClusterRoleBinding from [SECURITY.md](../../SECURITY.md).
### OIDC Token Mode
If Headlamp is configured for OIDC authentication, each user's own token is used for API requests. The RBAC must be bound to the user's identity (email, group) rather than the service account:
```yaml
subjects:
- kind: Group
name: "engineering"
apiGroup: rbac.authorization.k8s.io
```
Users not in the group will see 403 errors in the plugin.
### Benchmark 403
The Benchmark page requires additional write permissions:
```yaml
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["create", "delete"]
```
If only the Benchmark page shows 403, add these rules to your ClusterRole (or a separate Role scoped to the benchmark namespace).
Reference in New Issue View Git Blame Copy Permalink