privilegedescalation/headlamp-tns-csi-plugin

Files

T

Chris Farhood f1feb5c2f7 feat: native Headlamp integration, TrueNAS API, docs, and CI for v0.2.0

Native Headlamp integrations:
- registerResourceTableColumnsProcessor: add Protocol/Pool/Server columns to
  native StorageClass table and Protocol/Volume Handle to PV table
- registerDetailsViewSection: inject TNS-CSI section into PV detail pages
- registerDetailsViewSection: inject driver role/status into tns-csi Pod pages
- registerDetailsViewHeaderAction: Benchmark shortcut on StorageClass detail
- registerAppBarAction: driver health badge (N/Nc M/Mn, color-coded)
- Trim sidebar from 6 → 4 entries (Overview, Snapshots, Metrics, Benchmark)

TrueNAS API integration:
- src/api/truenas.ts: ConfigStore-backed settings, WebSocket JSON-RPC client
  for pool.query (auth.login_with_api_key + pool.query)
- src/components/TnsCsiSettings.tsx: API key + server override settings UI
  with connection test button
- TnsCsiDataContext: fetch real pool stats (size/allocated/free/status)
- OverviewPage: three-tier pool capacity display (real data → error → metrics
  fallback)

Documentation:
- README, CHANGELOG, CONTRIBUTING, SECURITY
- docs/: architecture, deployment (Helm), getting-started, user-guide,
  troubleshooting

CI:
- .github/workflows/ci.yaml: lint + type-check + test on PR/push
- .github/workflows/release.yaml: workflow_dispatch versioned release

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>

2026-02-18 16:37:56 -05:00

1.8 KiB

Raw Blame History

RBAC Issues

403 Forbidden Errors

A 403 error means the identity making the API request (Headlamp's service account or the logged-in user's token) lacks the required permission.

Diagnosing Which Permission Is Missing

Use kubectl auth can-i to check specific permissions:

# Check if the Headlamp service account can list StorageClasses
kubectl auth can-i list storageclasses \
  --as=system:serviceaccount:kube-system:headlamp

# Check pod proxy access (for metrics)
kubectl auth can-i get pods/proxy \
  -n kube-system \
  --as=system:serviceaccount:kube-system:headlamp

# Check snapshot access
kubectl auth can-i list volumesnapshots \
  --as=system:serviceaccount:kube-system:headlamp

Applying the Required RBAC

See RBAC Permissions for the complete ClusterRole manifest.

Quick apply:

kubectl apply -f https://raw.githubusercontent.com/privilegedescalation/headlamp-tns-csi-plugin/main/docs/user-guide/rbac-manifest.yaml

Or manually apply the ClusterRole and ClusterRoleBinding from SECURITY.md.

OIDC Token Mode

If Headlamp is configured for OIDC authentication, each user's own token is used for API requests. The RBAC must be bound to the user's identity (email, group) rather than the service account:

subjects:
  - kind: Group
    name: "engineering"
    apiGroup: rbac.authorization.k8s.io

Users not in the group will see 403 errors in the plugin.

Benchmark 403

The Benchmark page requires additional write permissions:

- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
  resources: ["persistentvolumeclaims"]
  verbs: ["create", "delete"]

If only the Benchmark page shows 403, add these rules to your ClusterRole (or a separate Role scoped to the benchmark namespace).

1.8 KiB Raw Blame History