search

headlamp-k8s / headlamp

A Kubernetes web UI that is fully-featured, user-friendly and extensible
https://headlamp.dev
Apache License 2.0
2.37k stars 170 forks source link

Pods are not displayed via the pods tab #2598

Open fatsolko opened 2 days ago

fatsolko commented 2 days ago

Describe the bug

Log in to headlamp, go to the dex namespace in which I gave the user full access. image

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer-role
  namespace: dex
rules:
  - verbs:
      - '*'
    apiGroups:
      - '*'
    resources:
      - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developer
rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-role-binding
  namespace: dex
subjects:
  - kind: Group
    name: dex:infrastructure
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: developer-role
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dex-developer
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: dex:infrastructure
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: developer

And I can get all the info if I navigate through the namespace tab through the resources. image But if I go to the pod\secret\etc tab, they will not be available.

If I go to the same in Lens with the same account, everything works as expected image

I understand that the problem is most likely that headlamp first tries to get all the pods in the cluster (I did not give such permissions) and filter them on the frontend. https://blabla.dev/c/main/pods?namespace=dex And if you open the pod directly, then everything is ok https://blabla.dev/c/main/pods/dex/dex-66c5fdc5b7-ng2bg

if I give get listpermissions to pods in clusterRole, everything will work, but i don't want to give permissions to pods in whole cluster

Environment:

Are you able to fix this issue?

No

sniok commented 2 days ago

hi, thanks for opening an issue

how to fix this: there's an "Allowed namespaces" setting that you can set which will restrict all the requests to those particular namespaces

image

I understand that the problem is most likely that headlamp first tries to get all the pods in the cluster (I did not give such permissions) and filter them on the frontend.

you're right, currently by default headlamp fetches all the pods and then filters by namespace. there's a related issue with a similar problem here https://github.com/headlamp-k8s/headlamp/issues/1195

fatsolko commented 2 days ago

how to fix this: there's an "Allowed namespaces" setting that you can set which will restrict all the requests to those particular namespaces

I don’t think this is a good way when we have a lot of namespaces, it’s still worth reconsidering this logic