Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pods are not displayed via the pods tab #2598

Closed
fatsolko opened this issue Nov 22, 2024 · 3 comments · Fixed by #2634
Closed

Pods are not displayed via the pods tab #2598

fatsolko opened this issue Nov 22, 2024 · 3 comments · Fixed by #2634
Assignees
Labels
blocker Completely prevents the user from using the software. bug Something isn't working frontend Issues related to the frontend
Milestone

Comments

@fatsolko
Copy link

fatsolko commented Nov 22, 2024

Describe the bug

Log in to headlamp, go to the dex namespace in which I gave the user full access.
image

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer-role
  namespace: dex
rules:
  - verbs:
      - '*'
    apiGroups:
      - '*'
    resources:
      - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developer
rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-role-binding
  namespace: dex
subjects:
  - kind: Group
    name: dex:infrastructure
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: developer-role
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dex-developer
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: dex:infrastructure
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: developer


And I can get all the info if I navigate through the namespace tab through the resources.
image
But if I go to the pod\secret\etc tab, they will not be available.

If I go to the same in Lens with the same account, everything works as expected
image

I understand that the problem is most likely that headlamp first tries to get all the pods in the cluster (I did not give such permissions) and filter them on the frontend.
https://blabla.dev/c/main/pods?namespace=dex
And if you open the pod directly, then everything is ok
https://blabla.dev/c/main/pods/dex/dex-66c5fdc5b7-ng2bg

if I give get list permissions to pods in clusterRole, everything will work, but i don't want to give permissions to pods in whole cluster

Environment:

  • Installation type: Helm
  • Headlamp Version: 1.27.5

Are you able to fix this issue?

No

@fatsolko fatsolko added the bug Something isn't working label Nov 22, 2024
@dosubot dosubot bot added the frontend Issues related to the frontend label Nov 22, 2024
@sniok
Copy link
Contributor

sniok commented Nov 22, 2024

hi, thanks for opening an issue

how to fix this:
there's an "Allowed namespaces" setting that you can set which will restrict all the requests to those particular namespaces

image

I understand that the problem is most likely that headlamp first tries to get all the pods in the cluster (I did not give such permissions) and filter them on the frontend.

you're right, currently by default headlamp fetches all the pods and then filters by namespace. there's a related issue with a similar problem here #1195

@fatsolko
Copy link
Author

fatsolko commented Nov 22, 2024

how to fix this:
there's an "Allowed namespaces" setting that you can set which will restrict all the requests to those particular namespaces

I don’t think this is a good way when we have a lot of namespaces, it’s still worth reconsidering this logic

@joaquimrocha
Copy link
Collaborator

@fatsolko You are right. We need to find a better way to handle this.
Maybe if the currently selected Namespace is just one (and not many), we include it in the requests?

cc/ @sniok

@joaquimrocha joaquimrocha added the blocker Completely prevents the user from using the software. label Dec 4, 2024
@joaquimrocha joaquimrocha added this to the v0.27.0 milestone Dec 4, 2024
@github-project-automation github-project-automation bot moved this from Queued to Done in Release Plan / Roadmap Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocker Completely prevents the user from using the software. bug Something isn't working frontend Issues related to the frontend
Projects
Development

Successfully merging a pull request may close this issue.

3 participants