Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separate Role / ClusterRole and Rolebinding / ClusterRolebinding #2686

Open
dal13002 opened this issue Dec 13, 2024 · 3 comments
Open

Separate Role / ClusterRole and Rolebinding / ClusterRolebinding #2686

dal13002 opened this issue Dec 13, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@dal13002
Copy link

dal13002 commented Dec 13, 2024
edited
Loading

Is your feature request related to a problem? Please describe the impact that the lack of the feature requested is creating.

The goal is to have better user experience for non-admin users. If users only have access to specific namespaces, they should still be able to see role / rolebindings within their namespace using headlamp.

Describe the solution you'd like

As of today, headlamp has a single tab on the UI for:

  • "Roles", which shows both clusterroles and roles
  • "RoleBindings", which shows both rolebindings and clusterrolebindings

For admins this is fine but ideally roles tab should be split into "Roles" and "ClusterRoles" tabs, and Rolebindings should be split into "RoleBinding" and "ClusterRoleBinding" tabs. This is because roles and rolebindings are namespaced, meaning I should be allowed to filter / scope these to just my namespace (similar to how pods, deployments, jobs, etc.. work- we can select a namespace from the UI). But clusterroles and clusterrolebindings are not namespaced meaning only admins can access them.

What users will benefit from this feature?

In-cluster users

Are you able to implement this feature?

No

Additional context

N/A
@dal13002 dal13002 added the enhancement New feature or request label Dec 13, 2024
@joaquimrocha
Copy link
Collaborator

@dal13002 Sorry for the delay in replying. December was busy and we had some off time.
I understand the different scoping of Cluster/Role|Bindings. Let me ask whether you are not able to find/filter the resources you want in this case because of that merge we do. i.e. even if they are joint in the table, are you not able to filter by kind + namespace?

@dal13002
Copy link
Author

@joaquimrocha Yes, that is correct. As a non-admin user (ie I only have RBAC access to 'test' namespace and List all namespace), I cannot filter or see any resources in Roles and Role Bindings tabs on headlamp. Instead of showing me a table of the roles/bindings, I get back 'no data to be shown.' . If I look at the network tab in my web-browser, I see 403 response codes. For example for the roles tabs, I see 403 calling '/api/rbac.authorization.k8s.io/v1/clusterroles' and '/api/rbac.authorization.k8s.io/v1/roles'.

I believe splitting cluster|role/rolebinding into individual tabs will allow us to fix this since we can make api calls for namespaced resources (similar to pods), and different api calls for non-namespaced resources. But also open to other ideas

@joaquimrocha
Copy link
Collaborator

@dal13002 I forgot to ask: if you set the allowed namespaces in the Cluster's settings, are you able to accomplish what you need in the current view, or does it still fail?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joaquimrocha @dal13002