From c1ad0063ccafe0a85f65cc5adcee77f2ca2fc6e2 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Mon, 4 May 2026 19:40:05 +0000
Subject: [PATCH] fix: add roles/rolebindings permissions to RBAC manifest
 (PRI-550)

kubectl apply requires get/list/watch on roles/rolebindings to check
existing state before patching. Without these, apply fails with
Forbidden on the GET call itself.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 deployment/e2e-ci-runner-rbac.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index 89fd595..3b252eb 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -12,6 +12,9 @@ metadata:
   name: e2e-ci-runner
   namespace: privilegedescalation-dev
 rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "watch", "create", "delete"]
   - apiGroups: [""]
     resources: ["configmaps", "serviceaccounts", "events"]
     verbs: ["get", "list", "create", "delete"]