Resource Observability Issue
Problemβ
Users can't see resources within the KubeRocketCI dedicated namespace via KubeRocketCI portal:
Causeβ
The problem might be caused by several factors. First of all, default and allowed namespaces may be either unset or set incorrectly. Secondly, service account used for browsing the KubeRocketCI portal may have insufficient permission set. Thirdly, if Keycloak is used for as an authentication mechanism, then the problem might be related to improper group membership.
Solutionβ
Solution can vary depending on the way users log into the platform, whether it is a service account token or an OpenID Connect mechanism.
Solution 1 (Service Account Token)β
This solution suits those who use a service account token to log into the KubeRocketCI portal.
To fix the problem, follow the steps below:
-
Check both default and allowed namespace by navigating to the KubeRocketCI portal -> Account Settings -> Cluster.
-
Check access rights of the service account at your disposal using the
kubectl describecommand:kubectl describe serviceaccount <service-account-name>> -n edp -
Check the role binding associated with the account:
kubectl describe serviceaccount <role-binding-name> -n edp -
Check permissions of the role used in the role binding:
kubectl describe role <role-name> -n edp -
Adjust resources to have sufficient permission set. Refer to the KubeRocketCI Access Model page for more details about permissions required for proper resource visibility.
Solution 2 (Keycloak)β
This solution suits those who to log into the KubeRocketCI portal Keycloak.
To fix the problem, follow the steps below:
-
Log into your Keycloak portal.
-
Check you user membership among the predefined Keycloak groups. Please refer to the KubeRocketCI Access Model page for details on the available Keycloak groups.
-
Add your user to the groups depending on which permissions you need to grant.