Forbidden Messages on the Overview Page
Problemβ
Users can't see resources within the KubeRocketCI dedicated namespace via KubeRocketCI portal:
Causeβ
The problem might be caused by several factors. First of all, default and allowed namespaces may be either unset or set incorrectly. Secondly, service account used for browsing the KubeRocketCI portal may have insufficient permission set. Thirdly, if Keycloak is used for as an authentication mechanism, then the problem might be related to improper group membership.
Solutionβ
Solution can vary depending on the way users log into the platform, whether it is a service account token or an OpenID Connect mechanism.
Solution 1 (Configure Default namespace)β
This solution suits those who to log into the KubeRocketCI portal Keycloak.
To fix the problem, follow the steps below:
- Check both default and allowed namespace by navigating to the KubeRocketCI portal -> Account Settings -> Cluster.
Solution 2 (Service Account Token)β
This solution suits those who use a service account token to log into the KubeRocketCI portal.
To fix the problem, follow the steps below:
-
Make sure the service account is set up in accordance with the KubeRocketCI Access Model and possesses the appropriate access rights.
-
Check the roles associated with the ServiceAccount:
serviceaccount=<ServiceAccount_name>
kubectl get rolebindings -n edp -o json | jq -r --arg sa "$serviceaccount" '.items[] | select(.subjects[]? | select(.kind == "ServiceAccount" and .name == $sa)) | .metadata.name' -
Check permissions of the role used in the role binding:
kubectl describe role <role-name> -n edp -
Refresh the page and verify that the new RBAC settings are functioning properly.