45 lines
1.7 KiB
YAML
45 lines
1.7 KiB
YAML
# Additive dashboard permissions on top of the built-in **edit** ClusterRole (Helm **clusterRoleBinding.clusterRoleName**).
|
|
# The chart binds the Headlamp **ServiceAccount** to **edit**, but **edit** does not cover:
|
|
# - **metrics.k8s.io** (no CPU/memory from metrics-server without this)
|
|
# - **nodes** / **nodes/status** at cluster scope (cluster overview / node pages stay empty)
|
|
# **OIDC** users authenticate as themselves, not the pod SA — the same ClusterRole must be bound to IdP groups
|
|
# (e.g. **noble-admins**) or they see 403 on metrics and node list while namespaced resources still work.
|
|
# **customresourcedefinitions** (read-only): many Headlamp plugins list CRDs to register views; **edit** alone often omits this.
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: headlamp-metrics-reader
|
|
labels:
|
|
app.kubernetes.io/name: headlamp
|
|
app.kubernetes.io/managed-by: Helm
|
|
rules:
|
|
- apiGroups: ["metrics.k8s.io"]
|
|
resources: ["nodes", "pods"]
|
|
verbs: ["get", "list"]
|
|
- apiGroups: [""]
|
|
resources: ["nodes", "nodes/status"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["apiextensions.k8s.io"]
|
|
resources: ["customresourcedefinitions"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: headlamp-metrics-reader
|
|
labels:
|
|
app.kubernetes.io/name: headlamp
|
|
app.kubernetes.io/managed-by: Helm
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: headlamp-metrics-reader
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: headlamp
|
|
namespace: headlamp
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: Group
|
|
name: noble-admins
|