gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance Headlamp's metrics access by updating the ClusterRoleBinding to include permissions for metrics.k8s.io, nodes, and CustomResourceDefinitions. Update README and RBAC documentation to clarify OIDC user permissions and troubleshooting steps for metrics visibility issues.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 19:24:44 -04:00
parent bb0bd4ca90
commit 7c9fd1fde6
3 changed files with 23 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
clusters/noble/bootstrap/headlamp/metrics-clusterrolebinding.yaml
View File

@@ -1,7 +1,10 @@
# Grant Headlamp's ServiceAccount read access to the Kubernetes Metrics API.
# The chart binds headlamp SA to 'edit' (safe default) but 'edit' does not include
# metrics.k8s.io — without this, Headlamp shows no CPU/memory/node data on the dashboard.
# This binding is additive: it does not escalate headlamp beyond 'edit' elsewhere.
# Additive dashboard permissions on top of the built-in **edit** ClusterRole (Helm **clusterRoleBinding.clusterRoleName**).
# The chart binds the Headlamp **ServiceAccount** to **edit**, but **edit** does not cover:
# - **metrics.k8s.io** (no CPU/memory from metrics-server without this)
# - **nodes** / **nodes/status** at cluster scope (cluster overview / node pages stay empty)
# **OIDC** users authenticate as themselves, not the pod SA — the same ClusterRole must be bound to IdP groups
# (e.g. **noble-admins**) or they see 403 on metrics and node list while namespaced resources still work.
# **customresourcedefinitions** (read-only): many Headlamp plugins list CRDs to register views; **edit** alone often omits this.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@@ -14,6 +17,12 @@ rules:
- apiGroups: ["metrics.k8s.io"]
resources: ["nodes", "pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["nodes", "nodes/status"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
@@ -30,3 +39,6 @@ subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: noble-admins