helm-dashboard
helm-dashboard copied to clipboard
komodorio
support use when kubernetes context does not have cluster level RBAC
I experienced a complete roadblock to using this system. I work against a multi-tenant kubernetes managed by our cloud team, and the tokens that I used to authenticate kubectl contexts do not have RBAC policies allowing them to list anything at the cluster level. I am using:
- helm v3.10.1
- dashboard version 0.2.3
- Ubunutu Jammy Jellyfish
When I launch helm dashboard with a --namespace=$mynamespace argument, it still wants to list all namespaces, and fails. Once it fails there is no way to choose a specific namespace. It just sits there, completely unusable.
helm dashboard --namespace=londo003
INFO[0000] Helm Dashboard by Komodor, version 0.2.3 (549cdd9bfbdf32009f8dbbc240c59c86c2e430d7 @ 2022-10-26T14:27:14Z)
WARN[0000] Failed command: [checkov --version]
WARN[0000] Failed command: [trivy --version]
INFO[0000] Opening web UI: http://localhost:8080
Gtk-Message: 09:57:07.641: Failed to load module "canberra-gtk-module"
Gtk-Message: 09:57:07.643: Failed to load module "canberra-gtk-module"
WARN[0000] Failed command: [helm ls --all --all-namespaces --output json --time-format 2006-01-02T15:04:05Z07:00 --kube-context londo003-ocp]
WARN[0000] STDERR:
Error: list: failed to list: secrets is forbidden: User "system:serviceaccount:londo003:helm-deployer" cannot list secrets at the cluster scope: no RBAC policy matched
WARN[0126] Failed command: [helm ls --all --all-namespaces --output json --time-format 2006-01-02T15:04:05Z07:00 --kube-context londo003-ocp]
WARN[0126] STDERR:
Error: list: failed to list: secrets is forbidden: User "system:serviceaccount:londo003:helm-deployer" cannot list secrets at the cluster scope: no RBAC policy matched
WARN[0131] Failed command: [helm ls --all --all-namespaces --output json --time-format 2006-01-02T15:04:05Z07:00 --kube-context londo003-ocp]
WARN[0131] STDERR:
Error: list: failed to list: secrets is forbidden: User "system:serviceaccount:londo003:helm-deployer" cannot list secrets at the cluster scope: no RBAC policy matched
WARN[0146] Failed command: [helm ls --all --all-namespaces --output json --time-format 2006-01-02T15:04:05Z07:00 --kube-context londo003-ocp]
WARN[0146] STDERR:
Error: list: failed to list: secrets is forbidden: User "system:serviceaccount:londo003:helm-deployer" cannot list secrets at the cluster scope: no RBAC policy matched
^C
The correct --namespace support were done in version 0.2.4. Please upgrade and try again. Sorry for the confusion.
updated to version 0.2.4 This still seems to need cluster wide RBAC, which my service contexts will never have"
$ helm dashboard -n londo003
INFO[0000] Helm Dashboard by Komodor, version 0.2.4 (f6b2a8c66dd4f1497b0483da983aeb321b0724dd @ 2022-10-31T15:45:57Z)
WARN[0000] Failed command: [checkov --version]
WARN[0000] Failed command: [trivy --version]
INFO[0000] User analytics collected to improve the quality, disable it with --no-analytics
INFO[0000] Opening web UI: http://localhost:8080
Gtk-Message: 12:45:57.631: Failed to load module "canberra-gtk-module"
Gtk-Message: 12:45:57.632: Failed to load module "canberra-gtk-module"
[GIN] 2022/10/31 - 12:45:57 | 200 | 5.039897ms | 127.0.0.1 | GET "/"
[GIN] 2022/10/31 - 12:45:57 | 200 | 71.518µs | 127.0.0.1 | GET "/static/analytics.js"
[GIN] 2022/10/31 - 12:45:57 | 200 | 34.57µs | 127.0.0.1 | GET "/static/styles-base.css"
[GIN] 2022/10/31 - 12:45:57 | 200 | 165.3µs | 127.0.0.1 | GET "/static/styles.css"
[GIN] 2022/10/31 - 12:45:57 | 200 | 117.735µs | 127.0.0.1 | GET "/static/logo-header.svg"
[GIN] 2022/10/31 - 12:45:57 | 200 | 37.757µs | 127.0.0.1 | GET "/static/komodor-logo.svg"
[GIN] 2022/10/31 - 12:45:57 | 200 | 83.276µs | 127.0.0.1 | GET "/static/helm-gray.svg"
[GIN] 2022/10/31 - 12:45:57 | 200 | 138.876µs | 127.0.0.1 | GET "/static/repo.js"
[GIN] 2022/10/31 - 12:45:57 | 200 | 39.757µs | 127.0.0.1 | GET "/static/list-view.js"
[GIN] 2022/10/31 - 12:45:57 | 200 | 33.823µs | 127.0.0.1 | GET "/static/revisions-view.js"
[GIN] 2022/10/31 - 12:45:57 | 200 | 131.972µs | 127.0.0.1 | GET "/static/details-view.js"
[GIN] 2022/10/31 - 12:45:57 | 200 | 119.236µs | 127.0.0.1 | GET "/static/actions.js"
[GIN] 2022/10/31 - 12:45:57 | 200 | 124.427µs | 127.0.0.1 | GET "/static/scripts.js"
[GIN] 2022/10/31 - 12:45:57 | 200 | 52.523µs | 127.0.0.1 | GET "/status"
[GIN] 2022/10/31 - 12:45:58 | 200 | 21.556µs | 127.0.0.1 | GET "/api/scanners"
[GIN] 2022/10/31 - 12:45:58 | 200 | 43.222µs | 127.0.0.1 | GET "/status"
[GIN] 2022/10/31 - 12:45:58 | 200 | 89.59657ms | 127.0.0.1 | GET "/api/kube/contexts"
[GIN] 2022/10/31 - 12:45:58 | 200 | 171.93µs | 127.0.0.1 | GET "/static/topographic.svg"
WARN[0001] Failed command: [helm ls --all --output json --time-format 2006-01-02T15:04:05Z07:00 --all-namespaces --kube-context londo003-ocp]
WARN[0001] STDERR:
Error: list: failed to list: secrets is forbidden: User "system:serviceaccount:londo003:helm-deployer" cannot list secrets at the cluster scope: no RBAC policy matched
[GIN] 2022/10/31 - 12:45:58 | 500 | 274.000005ms | 127.0.0.1 | GET "/api/helm/charts"
Error #01: Error: list: failed to list: secrets is forbidden: User "system:serviceaccount:londo003:helm-deployer" cannot list secrets at the cluster scope: no RBAC policy matched
Hm, there's a trickier problem here. Helm passes some of the flags to the plugin, and some it does not. I'm digging now to understand what happens there.
Meanwhile, you can locate the binary on your machine and run it directly with desired params. It's somewhere around ~/.local/share/helm/plugins/helm-dashboard.git/bin/helm-dashboard.
Ok, I found that it clashes with built-in namespace flag: https://helm.sh/docs/topics/plugins/#a-note-on-flag-parsing