# Additive dashboard permissions on top of the built-in **edit** ClusterRole (Helm **clusterRoleBinding.clusterRoleName**).
# The chart binds the Headlamp **ServiceAccount** to **edit**, but **edit** does not cover:
#   - **metrics.k8s.io** (no CPU/memory from metrics-server without this)
#   - **nodes** / **nodes/status** at cluster scope (cluster overview / node pages stay empty)
# **OIDC** users authenticate as themselves, not the pod SA — the same ClusterRole must be bound to IdP groups
# (e.g. **noble-admins**) or they see 403 on metrics and node list while namespaced resources still work.
# **customresourcedefinitions** (read-only): many Headlamp plugins list CRDs to register views; **edit** alone often omits this.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: headlamp-metrics-reader
  labels:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/managed-by: Helm
rules:
  - apiGroups: ["metrics.k8s.io"]
    resources: ["nodes", "pods"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["nodes", "nodes/status"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: headlamp-metrics-reader
  labels:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: headlamp-metrics-reader
subjects:
  - kind: ServiceAccount
    name: headlamp
    namespace: headlamp
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: noble-admins