Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Headlamp does not show restart/edit/scale buttons on resources with sufficient permissions #2633

Open
Andrew1988123123 opened this issue Dec 4, 2024 · 6 comments · May be fixed by #2654
Open
Assignees
Labels
bug Something isn't working frontend Issues related to the frontend

Comments

@Andrew1988123123
Copy link

Describe the bug

The bug title says it all. I gave permissions to restart, scale, edit the deployment but the button with the option to restart and scale the deployment does not appear. These are sufficient permissions because I tested using kubectl.
kubectl rollout restart deployment gotify -n default

According to the documentation the buttons should appear
https://headlamp.dev/docs/latest/faq/#headlamp-is-not-showing-deleteeditscale-buttons-in-a-resource-why-is-that

To Reproduce

Create Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gotify
  namespace: default
spec:
  selector:
    matchLabels:
      app: gotify
  replicas: 1
  template:
    metadata:
      labels:
        app: gotify
    spec:
      containers:
        - name: gotify
          image: gotify/server
          env:
            - name: GOTIFY_SERVER_PORT
              value: "81"
          ports:
            - containerPort: 81
          readinessProbe:
            httpGet:
              path: /health
              port: 81
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /health
              port: 81
            initialDelaySeconds: 10
            periodSeconds: 20

Create SA with secret

apiVersion: v1
kind: Secret
metadata:
  name: cluster-developer
  namespace: default
  annotations:
    kubernetes.io/service-account.name: cluster-developer
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cluster-developer
  namespace: default

Create custom RBAC with sufficient permissions.

kind: ClusterRole
metadata:
  name: custom-role
rules:
  - apiGroups: [ "" ]
    resources: [ "pods" ]
    verbs: [ "get", "delete" ]
  - apiGroups: [ "" ]
    resources: [ "pods/portforward" ]
    verbs: [ "get", "create", "delete" ]
  - apiGroups: [ "" ]
    resources: [ "pods/exec" ]
    verbs: [ "get", "create" ]
  - apiGroups: [ "" ]
    resources: [ "configmaps" ]
    verbs: [ "get" ]
  - apiGroups: [ "apps" ]
    resources: [ "deployments/scale" ]
    verbs: [ "get", "patch" ]
  - apiGroups: [ "apps" ]
    resources: [ "deployments" ]
    verbs: [ "get", "patch" ]

---

# ClusterRoleBinding for granting the custom-role to the service account
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-developer-binding
subjects:
  - kind: ServiceAccount
    name: cluster-developer
    namespace: default
roleRef:
  kind: ClusterRole
  name: custom-role
  apiGroup: rbac.authorization.k8s.io

---

# ClusterRoleBinding for granting the 'view' role to the service account
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-developer-view-binding
subjects:
  - kind: ServiceAccount
    name: cluster-developer
    namespace: default
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

Environment (please provide info about your environment):

  • Installation type: Windows-Winget
  • Headlamp Version: v0.26.0

Are you able to fix this issue?

No. I work as devops :(

Additional Context

image

Excepted result
image

Additionally, after pressing the actions button the bubble has weird formatting.
image

@Andrew1988123123 Andrew1988123123 added the bug Something isn't working label Dec 4, 2024
@dosubot dosubot bot added the frontend Issues related to the frontend label Dec 4, 2024
@skoeva
Copy link
Contributor

skoeva commented Dec 4, 2024

Hi, thanks for submitting this issue!

Do the buttons also not appear at the top when you click on the deployment?

image

Tried to test this locally (app in WSL and browser) and I see this on both:

image

@Andrew1988123123
Copy link
Author

Thanks for the reply
After clicking on the deployment object I see this.
image

Do you use correct kubeconfig? On the last photo you have a visible delete button. My custom RBAC does not contain delete verb which removes deployment object. You should use kubeconfig with limited access. Use all the roles I used and generate kubeconfig.

@skoeva
Copy link
Contributor

skoeva commented Dec 5, 2024

interesting, would you be able to provide your kubeconfig? (feel free to redact any sensitive information)

@Andrew1988123123
Copy link
Author

Sure. You get the certificate-authority-data and token value from a secret. In my case, it's a secret called cluster-developer.

kind: Config
clusters:
  - name: k3d-multiagent
    cluster:
      server: 'https://host.docker.internal:6445'
      certificate-authority-data: >-
        LS0tLS1CRUdJTiBDRVJUSUZJQ0FUR...
users:
  - name: cluster-developer
    user:
      token: >-
        eyJhbGciOiJSUzI1NiIsImtpZC...
contexts:
  - name: k3d-multiagent-cluster-developer
    context:
      user: cluster-developer
      cluster: k3d-multiagent
      namespace: default
current-context: k3d-multiagent

@skoeva
Copy link
Contributor

skoeva commented Dec 5, 2024

Awesome ty, I matched up the kubeconfigs and I'm seeing what you're seeing now. Will take a look into this

@skoeva skoeva self-assigned this Dec 5, 2024
@skoeva
Copy link
Contributor

skoeva commented Dec 5, 2024

I see that you see the scale button for the deployment when you click on it (on the right side here)

image

but you don't see the edit or restart buttons. Both of these actions require permission to "update", so if you add "update" to deployments and refresh you should see them (should look like this)

- apiGroups: [ "apps" ]
  resources: [ "deployments" ]
  verbs: [ "get", "patch", "update" ]

Although they aren't showing up in the table row actions, working on this now

@skoeva skoeva linked a pull request Dec 10, 2024 that will close this issue
4 tasks
@skoeva skoeva linked a pull request Dec 10, 2024 that will close this issue
4 tasks
skoeva added a commit that referenced this issue Dec 10, 2024
This change sets the apiVersion in the KubeObject constructor to ensure
that valid row actions for the given KubeObject are visible.

Fixes: #2633

Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
skoeva added a commit that referenced this issue Dec 11, 2024
Previously, the apiVersion was not provided in the jsonData object in
the resource table, and apiVersion is necessary for authenticating and
displaying valid row actions. This change sets the apiVersion in the
KubeObject constructor to ensure that valid row actions for the given
KubeObject are visible.

Fixes: #2633

Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
skoeva added a commit that referenced this issue Dec 11, 2024
Previously, the apiVersion was not provided in the jsonData object in
the resource table, and apiVersion is necessary for authenticating and
displaying valid row actions. This change sets the apiVersion in the
KubeObject constructor to ensure that valid row actions for the given
KubeObject are visible.

Fixes: #2633

Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
skoeva added a commit that referenced this issue Dec 11, 2024
Previously, the apiVersion was not being provided in the jsonData object
in the resource table, and apiVersion is necessary for authenticating
and displaying valid row actions. This change ensures that resource,
group, and version are always provided to ensure that valid row actions
for the given KubeObject are visible.

Fixes: #2633

Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
skoeva added a commit that referenced this issue Dec 11, 2024
Previously, the apiVersion was not being provided in the jsonData object
in the resource table, and apiVersion is necessary for authenticating
and displaying valid row actions. This change ensures that resource,
group, and version are always provided to ensure that valid row actions
for the given KubeObject are visible.

Fixes: #2633

Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
skoeva added a commit that referenced this issue Dec 16, 2024
This change updates the logic of the getAuthorization function in
KubeObject, which previously intended to test auth by separating the
group from its respective version when one of these was missing. Now,
these two fields are linked and grabbed together from apiInfo when one
is missing.

Fixes: #2633

Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
skoeva added a commit that referenced this issue Dec 20, 2024
This change updates the logic of the getAuthorization function in
KubeObject, which previously intended to test auth by separating the
group from its respective version when one of these was missing. Now,
these two fields are linked and grabbed together from apiInfo when one
is missing.

Fixes: #2633

Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
skoeva added a commit that referenced this issue Dec 20, 2024
This change updates the logic of the getAuthorization function in
KubeObject, which previously intended to test auth by separating the
group from its respective version when one of these was missing. Now,
these two fields are linked and grabbed together from apiInfo when one
is missing.

Fixes: #2633

Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
skoeva added a commit that referenced this issue Dec 20, 2024
This change updates the logic of the getAuthorization function in
KubeObject, which previously intended to test auth by separating the
group from its respective version when one of these was missing. Now,
these two fields are linked and grabbed together from apiInfo when one
is missing.

Fixes: #2633

Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working frontend Issues related to the frontend
Projects
Development

Successfully merging a pull request may close this issue.

2 participants