search

headlamp-k8s / headlamp

A Kubernetes web UI that is fully-featured, user-friendly and extensible
https://headlamp.dev
Apache License 2.0
2.22k stars 156 forks source link

Cannot view namespace scoped CRDs with namespace restricted admin access #1553

Closed dioniseo closed 5 months ago

dioniseo commented 11 months ago

The issue is the following: there is a user who has admin access only to specific namespaces. Additional ClusterRole was added with permissions to list CustomResourceDefinitions in the cluster (to get all available definitions and show them in "Custom Resources" tab). Also specific namespaces were added to the allowed namespaces configuration in Headlamp. When trying to open CRDs from this namespace, it was found out that even though user has namespace admin access (RoleBinding), it cannot list Namespace scoped CRDs as Headlamp is trying to get these resources at cluster wide scope. Instead it should list CRDs only for the configured allowed namespaces list if the resource is Namespaced scope.

The workaround for this issue is to create an additional ClusterRole for this user with the same get/list/watch permissions for desired CRDs (servicemonitors, certificates, prometheusrules etc.) but drawback of this approach is that user will be able to see CRDs not only from the allowed namespaces but also form all other namespaces in the cluster.

joaquimrocha commented 11 months ago

Hi @Denis220795 . When you say "When trying to open CRDs from this namespace", what does this mean? Do you mean opening the list of CRs in Headlamp?

Have you tested setting up the namespace you have access to as an accessible namespace in the cluster's settings?

dioniseo commented 11 months ago

Hi @joaquimrocha , yes this is exactly what I did:

  1. Added all namespaces where I have admin access to accessible namespaces settings in Headlamp.
  2. Tried to open Custom Resources tab -> it showed me the list of all CRDs in the cluster.
  3. I've tried to open for example ServiceMonitor Custom Resource (as its a Namespaced scope resource I should be able to open it in the accessible namespace that I've configured in the settings).
  4. I think the expectation is that it should show me the ServiceMonitors only from the namespaces that I've configured as accessible namespaces in the cluster's settings, but instead its trying to show all the ServiceMonitor resources in the cluster.
  5. As a result if I don't have ClusterRole that allow me to get these resources at cluster level, I'm not able to review/edit these resources if I have access only to specific namespaces.

So seems like accessible namespaces parameter is ignored in case of CustomResource. But this parameter works perfectly fine with the classic Kubernetes resources like pods, ingresses, deployments etc.

dioniseo commented 11 months ago

Hm, one interesting thing I've noticed is that when I was testing this PR https://github.com/headlamp-k8s/headlamp/pull/1558 - I found that accessible namespaces take into account and I can view/manage namespace scoped custom resources in case I provide accessible namespaces and Headlamp shows me only the custom resources from these namespaces. Do you think if that was also covered/fixed in this PR?

joaquimrocha commented 10 months ago

@Denis220795 Do you mean the issue is fixed when you tested that PR? The PR is merged so probably we can close this is you cannot reproduce it anymore.

joaquimrocha commented 5 months ago

Closed as confirmed it's working by @derbauer97.