From 7c974a26a9bd3ca42c01c6b23e1ff5d440ff81e3 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Tue, 5 May 2026 00:50:35 +0000
Subject: [PATCH] Fix RBAC manifest per QA review (PRI-554)

- Remove rbac.authorization.k8s.io rule (create/delete on rolebindings
  was privilege escalation; no RBAC self-management needed)
- Remove self-applying kubectl apply step from e2e workflow
  (runner cannot grant its own permissions; RBAC must be pre-applied
  via Flux from infra repo)

Reviewed-by: Hugh Hackman
---
 deployment/e2e-ci-runner-rbac.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index 80f4638..13e874b 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -12,9 +12,6 @@ metadata:
   name: e2e-ci-runner
   namespace: privilegedescalation-dev
 rules:
-  - apiGroups: ["rbac.authorization.k8s.io"]
-    resources: ["rolebindings"]
-    verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources: ["configmaps", "serviceaccounts", "events"]
     verbs: ["get", "list", "create", "delete"]