privilegedescalation-ceo[bot]
2e2713fd3f
Users choose their own namespace for Headlamp. Replace all hardcoded kube-system references that indicate Headlamp's install namespace with <your-namespace> so users substitute their own value. Upstream workload references left untouched: - tns-csi controller pods in kube-system (upstream CSI driver) - NetworkPolicy selectors targeting kube-system - API server proxy paths to kube-system pods Refs: PRI-434 Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>
3.8 KiB
3.8 KiB
RBAC Permissions
Overview
The plugin requires different permissions depending on which features you use. Start with the read-only set and add the benchmark write permissions only if needed.
Read-Only Permissions (All Pages Except Benchmark)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: headlamp-tns-csi-reader
rules:
# StorageClasses and CSIDriver
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses", "csidrivers"]
verbs: ["get", "list", "watch"]
# PersistentVolumes (cluster-scoped)
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch"]
# PersistentVolumeClaims (all namespaces)
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch"]
# tns-csi driver pods and their logs/proxy (for metrics)
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/log", "pods/proxy"]
verbs: ["get"]
# VolumeSnapshots (optional — gracefully degraded if absent)
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots", "volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: headlamp-tns-csi
subjects:
- kind: ServiceAccount
name: headlamp # adjust to your Headlamp service account name
namespace: <your-namespace>
roleRef:
kind: ClusterRole
name: headlamp-tns-csi-reader
apiGroup: rbac.authorization.k8s.io
Additional Permissions for Benchmark Page
The Benchmark page creates and deletes a Job and PVC. These rules can be added to the ClusterRole above, or bound as a separate namespaced Role scoped to a dedicated benchmark namespace.
# Benchmark: create/delete kbench Job
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "delete"]
# Benchmark: create/delete kbench PVC
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "create", "delete"]
Scoping Benchmark Permissions to a Namespace
For tighter security, restrict benchmark write permissions to a dedicated namespace using a Role + RoleBinding instead of ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: headlamp-tns-csi-benchmark
namespace: storage-benchmarks # dedicated benchmark namespace
rules:
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: headlamp-tns-csi-benchmark
namespace: storage-benchmarks
subjects:
- kind: ServiceAccount
name: headlamp
namespace: <your-namespace>
roleRef:
kind: Role
name: headlamp-tns-csi-benchmark
apiGroup: rbac.authorization.k8s.io
With this configuration, benchmark jobs can only be created in the storage-benchmarks namespace.
Permission Summary by Feature
| Feature | Permissions Required |
|---|---|
| Overview | storageclasses list, persistentvolumes list, persistentvolumeclaims list, pods list (kube-system), csidrivers get |
| Storage Classes | storageclasses list |
| Volumes | persistentvolumes list |
| Snapshots | volumesnapshots list, volumesnapshotclasses list |
| Metrics | pods/proxy get (kube-system controller pod) |
| Benchmark | jobs create/delete, persistentvolumeclaims create/delete |
| PVC Detail Injection | persistentvolumeclaims get, persistentvolumes get |