Comments (12)
Hi @saiyam1814 . Apparently I failed to be clear about the importance of RBAC in Headlamp.
Headlamp checks RBACs for any used Service Account should have a role bound with the desired permissions.
I will update the docs.
from headlamp.
I have to create a cluster role cluster-admin and a new SA then it started working with the secret of new SA.
from headlamp.
I mean a person who is familiar with Kubernetes would know anyway but would be good to have in docs, I am writing a blog as well which will cover the installation, logging in and some feature exploration.
from headlamp.
@saiyam1814 Awesome! Let me know if you need our help for the blog post.
We have just updated the docs for the installation/auth https://kinvolk.io/docs/headlamp/latest/installation/ . Maybe this helps future users.
I also intend add some way in the UI to suggest checking the docs when the no permissions notice is hit.
from headlamp.
When should you be prompted to provide the token? When I click the head in the top right it is saying Log out (no token setup)
(v0.1.2, in-cluster).
Also, are there plans to allow headlight to use its own service account credentials? I have my own external OIDC setup and was hoping I could allows user through like that with headlight using a read-only service account (for example).
from headlamp.
@dippynark You should see a small dialog with a button saying "Use a token" when you access Headlamp and no token is configured. For in-cluster that will be the default auth method (for local/desktop it first tries to use any configured client cert).
You can provide OIDC as well, please see the instructions in:
https://kinvolk.io/docs/headlamp/latest/installation/in-cluster/
For defining roles to users authenticating through OIDC maybe you can check this example (for Lokomotive but I guess it should work fine on any Kubernetes flavor):
https://kinvolk.io/docs/lokomotive/0.5/how-to-guides/authentication-with-dex-gangway/#step-7-authorize-users-for-cluster-administrators
from headlamp.
@dippynark / @saiyam1814 , BTW, if you want to contribute to the docs on getting acess to Headlamp, that would be great! Or at least feedback on this morning's additions to it 🙂
from headlamp.
hmm not too sure what I'm doing, this is what I see when I first visit the page and click the head in the top right -- it looks like a dialog briefly appears when the page first loads but then it disappears.
I'm running it behind an Istio gateway which is managing my external OIDC flow, other dashboards are okay with the same setup though.
How is the OIDC working? Presumably the resulting JWTs aren't trusted by the API Server, so is headlight reading the RBAC itself to make a decision about whether to impersonate the user with its own credentials? If so where are those credentials coming from? (sorry if this is getting quite off topic for this issue)
EDIT: having a quick look at the code it looks like the cluster also needs to be configured with the same OIDC provider so the JWTs are trusted (like with k8dash)
from headlamp.
Hi @dippynark ,
It's indeed weird that you weren't redirected to the login screen. I think we have a bug sometimes in the redirection to the login when the permissions fail. Until we solve that, if you are not able to click log out, just navigate to the root URL and it should start the login workflow again.
About the OIDC, you have a guide here (you need to set up some extra arguments when launching the server):
https://kinvolk.io/docs/headlamp/latest/installation/in-cluster/
And yesterday I added a new section on how to create a Service Account token if that's also something you want to try:
https://kinvolk.io/docs/headlamp/latest/installation/
from headlamp.
I can confirm that neither the desktop app nor the browser in-cluster version worked on the first chance.
In the browser in the end I launched an incognito tab and with a port-forward went to:
http://localhost:4466/token
How can I help on the debugging?
from headlamp.
@paurullan How are you running it in-cluster?
In case you're not yet doing it, you can try running it from source: https://kinvolk.io/docs/headlamp/latest/development/
When run locally, what's expected is that if there is a ~/.kube/config
set up, it will pick the contexts from it and display them. If it's just one context it will go straight into it.
If there are client-certificates set up in the config, it tries using those for the requests, otherwise (or if they fail) it will ask the user for a token. Docs on how to get an SA token are here if needed: https://kinvolk.io/docs/headlamp/latest/installation/
from headlamp.
I am closing this due to inactivity. I believe that we have fixed the issues we were having with this effect. Please reopen if it's still happening with the latest versions.
from headlamp.
Related Issues (20)
- Loading chunk failed HOT 2
- Helm Chart has "persistentVolumeClaim" but it does nothing HOT 4
- Bug: backlink exported to plugin isn't right
- Notifications' area is not usable in mobile
- Run commands only after user consent
- Add k8s API tests
- Replace minikube with k3d when testing in CI
- Allow to use the cluster argument in useList/Get functions
- e2e tests are failing, but not causing the build to fail HOT 2
- logger source is always the same
- Pod Status should show original status HOT 1
- Plugins are not disabling correctly HOT 3
- Cancel button not working for pod counter plugin
- change-logo custom logo is not showing properly
- kubecon: improve contribution guidelines for less clicks HOT 1
- backend: plugins: Race condition with plugins on some systems
- Init containers always show status as "Error" when in terminated state
- Cluster delete doesn't work in the new release
- All delete and update functions should have a Confirmation Dialog
- WIP: plugin debugging
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from headlamp.