Not able to view cluster resources after logging in the UI about headlamp HOT 12 CLOSED

Hi @saiyam1814 . Apparently I failed to be clear about the importance of RBAC in Headlamp.
Headlamp checks RBACs for any used Service Account should have a role bound with the desired permissions.

I will update the docs.

from headlamp.

I have to create a cluster role cluster-admin and a new SA then it started working with the secret of new SA.

from headlamp.

I mean a person who is familiar with Kubernetes would know anyway but would be good to have in docs, I am writing a blog as well which will cover the installation, logging in and some feature exploration.

from headlamp.

@saiyam1814 Awesome! Let me know if you need our help for the blog post.

We have just updated the docs for the installation/auth https://kinvolk.io/docs/headlamp/latest/installation/ . Maybe this helps future users.

I also intend add some way in the UI to suggest checking the docs when the no permissions notice is hit.

from headlamp.

When should you be prompted to provide the token? When I click the head in the top right it is saying Log out (no token setup) (v0.1.2, in-cluster).

Also, are there plans to allow headlight to use its own service account credentials? I have my own external OIDC setup and was hoping I could allows user through like that with headlight using a read-only service account (for example).

from headlamp.

@dippynark You should see a small dialog with a button saying "Use a token" when you access Headlamp and no token is configured. For in-cluster that will be the default auth method (for local/desktop it first tries to use any configured client cert).

You can provide OIDC as well, please see the instructions in:
https://kinvolk.io/docs/headlamp/latest/installation/in-cluster/

For defining roles to users authenticating through OIDC maybe you can check this example (for Lokomotive but I guess it should work fine on any Kubernetes flavor):
https://kinvolk.io/docs/lokomotive/0.5/how-to-guides/authentication-with-dex-gangway/#step-7-authorize-users-for-cluster-administrators

from headlamp.

@dippynark / @saiyam1814 , BTW, if you want to contribute to the docs on getting acess to Headlamp, that would be great! Or at least feedback on this morning's additions to it 🙂

from headlamp.

hmm not too sure what I'm doing, this is what I see when I first visit the page and click the head in the top right -- it looks like a dialog briefly appears when the page first loads but then it disappears.

I'm running it behind an Istio gateway which is managing my external OIDC flow, other dashboards are okay with the same setup though.

How is the OIDC working? Presumably the resulting JWTs aren't trusted by the API Server, so is headlight reading the RBAC itself to make a decision about whether to impersonate the user with its own credentials? If so where are those credentials coming from? (sorry if this is getting quite off topic for this issue)

EDIT: having a quick look at the code it looks like the cluster also needs to be configured with the same OIDC provider so the JWTs are trusted (like with k8dash)

from headlamp.

Hi @dippynark ,

It's indeed weird that you weren't redirected to the login screen. I think we have a bug sometimes in the redirection to the login when the permissions fail. Until we solve that, if you are not able to click log out, just navigate to the root URL and it should start the login workflow again.

About the OIDC, you have a guide here (you need to set up some extra arguments when launching the server):
https://kinvolk.io/docs/headlamp/latest/installation/in-cluster/

And yesterday I added a new section on how to create a Service Account token if that's also something you want to try:
https://kinvolk.io/docs/headlamp/latest/installation/

from headlamp.

I can confirm that neither the desktop app nor the browser in-cluster version worked on the first chance.
In the browser in the end I launched an incognito tab and with a port-forward went to:
http://localhost:4466/token

How can I help on the debugging?

from headlamp.

@paurullan How are you running it in-cluster?
In case you're not yet doing it, you can try running it from source: https://kinvolk.io/docs/headlamp/latest/development/

When run locally, what's expected is that if there is a ~/.kube/config set up, it will pick the contexts from it and display them. If it's just one context it will go straight into it.
If there are client-certificates set up in the config, it tries using those for the requests, otherwise (or if they fail) it will ask the user for a token. Docs on how to get an SA token are here if needed: https://kinvolk.io/docs/headlamp/latest/installation/

from headlamp.

I am closing this due to inactivity. I believe that we have fixed the issues we were having with this effect. Please reopen if it's still happening with the latest versions.

from headlamp.