From c815b2fd4471f83ed64bb46830366f5648638910 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Tue, 5 May 2026 00:35:38 +0000
Subject: [PATCH] fix: remove create/delete on roles/rolebindings per QA review

Removes privilege-escalation permissions from RBAC manifest per PRI-554
QA review. The rbac.authorization.k8s.io rule now grants only
get/list/watch on rolebindings (needed for deploy script to verify
existing bindings exist).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 deployment/e2e-ci-runner-rbac.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index 3b252eb..80f4638 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -13,8 +13,8 @@ metadata:
   namespace: privilegedescalation-dev
 rules:
   - apiGroups: ["rbac.authorization.k8s.io"]
-    resources: ["roles", "rolebindings"]
-    verbs: ["get", "list", "watch", "create", "delete"]
+    resources: ["rolebindings"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources: ["configmaps", "serviceaccounts", "events"]
     verbs: ["get", "list", "create", "delete"]
@@ -40,4 +40,4 @@ subjects:
 roleRef:
   kind: Role
   name: e2e-ci-runner
-  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
+  apiGroup: rbac.authorization.k8s.io