Closed dioniseo closed 5 months ago
Hi @Denis220795 . When you say "When trying to open CRDs from this namespace", what does this mean? Do you mean opening the list of CRs in Headlamp?
Have you tested setting up the namespace you have access to as an accessible namespace in the cluster's settings?
Hi @joaquimrocha , yes this is exactly what I did:
So seems like accessible namespaces parameter is ignored in case of CustomResource. But this parameter works perfectly fine with the classic Kubernetes resources like pods, ingresses, deployments etc.
Hm, one interesting thing I've noticed is that when I was testing this PR https://github.com/headlamp-k8s/headlamp/pull/1558 - I found that accessible namespaces take into account and I can view/manage namespace scoped custom resources in case I provide accessible namespaces and Headlamp shows me only the custom resources from these namespaces. Do you think if that was also covered/fixed in this PR?
@Denis220795 Do you mean the issue is fixed when you tested that PR? The PR is merged so probably we can close this is you cannot reproduce it anymore.
Closed as confirmed it's working by @derbauer97.
The issue is the following: there is a user who has admin access only to specific namespaces. Additional ClusterRole was added with permissions to list CustomResourceDefinitions in the cluster (to get all available definitions and show them in "Custom Resources" tab). Also specific namespaces were added to the allowed namespaces configuration in Headlamp. When trying to open CRDs from this namespace, it was found out that even though user has namespace admin access (RoleBinding), it cannot list Namespace scoped CRDs as Headlamp is trying to get these resources at cluster wide scope. Instead it should list CRDs only for the configured allowed namespaces list if the resource is Namespaced scope.
The workaround for this issue is to create an additional ClusterRole for this user with the same get/list/watch permissions for desired CRDs (servicemonitors, certificates, prometheusrules etc.) but drawback of this approach is that user will be able to see CRDs not only from the allowed namespaces but also form all other namespaces in the cluster.