"Forward port" is stuck pending when permissions are restricted using a ClusterRole

[artiommocrenco-amdaris]

Describe the bug

"Forward port" is stuck pending when permissions are restricted using a similar ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developers-extended
rules:
  - apiGroups:
      - "*"
    resources:
      - "*"
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - ""
    resources:
      - pods/portforward
    verbs:
      - get
      - list
      - create

To Reproduce

Steps to reproduce the bug:

1. Restrict a subject using ClusterRole from above (I was using service account and token)
2. Find a service, try to "Forward port"
3. The process is stuck, even after waiting several minutes

Expected results: port is forwarded or an error message is shown

Environment (please provide info about your environment):

• Installation type: winget
• Headlamp Version: 0.28.1
• Other: Windows 11

Are you able to fix this issue?

No

Additional Context

Works using kubectl port-forward svc/myservice 8080:80 and in aptakube using the same kubeconfig in both cases, but doesn't work with Headlamp.

Works as expected with Headlamp using cluster admin kubeconfig (using TLS client auth).

[artiommocrenco-amdaris]

#2936 could be related, as I was using a service account with a token

[anengineerdude]

Having issues as well the fixes in 0.28.1 related to port forward did not fix for me

[Davidr1963]

Having issues as well the fixes in 0.28.1 related to port forward did not work. It just get the Spinning wheel that it is trying.

[artiommocrenco-amdaris]

still not working for me in 0.29.0

[knrt10]

Thank you for opening the issue, looking into this

[knrt10]

Hi @artiommocrenco-amdaris I was unable to reproduce this issue with the current main. Can you please try it as well?

Here are the exact steps I used to test this scenario:

1. Created clusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developers-extended
rules:
  - apiGroups:
      - "*"
    resources:
      - "*"
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - ""
    resources:
      - pods/portforward
      - services
      - services/portforward
    verbs:
      - get
      - list
      - create

2. Create SA kubectl create serviceaccount developer-test
3. Created clusterrolebinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: developer-test-binding
subjects:
- kind: ServiceAccount
  name: developer-test
  namespace: default
roleRef:
  kind: ClusterRole
  name: developers-extended
  apiGroup: rbac.authorization.k8s.io

4. Created token for auth kubectl create token developer-test
5. Started backend cd backend && go run ./cmd -dev -enable-dynamic-clusters
6. Started frontend cd frontend && npm i && npm start
7. Started app cd app && npm run dev-only-app
8. Went to a service and tried port-forward.

I had clusters in kubeconfig and it worked for me. I also had an AKS cluster and added it base64 encoding it via New Cluster button or you could add it again using Add cluster button using a kubeconfig as well.

Both scenario worked for me. Can you please add some logs from the console, that would be helpful as well? Thanks

[alex-hempel]

I have this issue, even when using a role that gives me cluster-admin permissions.

Headlamp 0.29 on MacOS 15.1