From 8027e702d82ceaf55610bff613a34fc6605cec13 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 00:50:35 +0000 Subject: [PATCH] Fix RBAC manifest per QA review (PRI-554) - Remove rbac.authorization.k8s.io rule (create/delete on rolebindings was privilege escalation; no RBAC self-management needed) - Remove self-applying kubectl apply step from e2e workflow (runner cannot grant its own permissions; RBAC must be pre-applied via Flux from infra repo) Reviewed-by: Hugh Hackman --- .github/workflows/e2e.yaml | 3 --- deployment/e2e-ci-runner-rbac.yaml | 3 --- 2 files changed, 6 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index bff1624..37f33a9 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -51,9 +51,6 @@ jobs: - name: Build plugin run: npx @kinvolk/headlamp-plugin build - - name: Apply RBAC for E2E runner - run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml - - name: Deploy E2E Headlamp instance run: scripts/deploy-e2e-headlamp.sh diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 80f4638..13e874b 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -12,9 +12,6 @@ metadata: name: e2e-ci-runner namespace: privilegedescalation-dev rules: - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "serviceaccounts", "events"] verbs: ["get", "list", "create", "delete"]