From c8242599f9b29db51bad1839b3281d75b68b2e14 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 19:28:36 +0000 Subject: [PATCH] Add RBAC manifest for E2E CI runner Adds deployment/e2e-ci-runner-rbac.yaml which grants the Arc Runners service account the minimum permissions needed to deploy/teardown an E2E Headlamp instance in privilegedescalation-dev. Fixes PRI-550. Co-Authored-By: Paperclip --- deployment/e2e-ci-runner-rbac.yaml | 40 ++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 deployment/e2e-ci-runner-rbac.yaml diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml new file mode 100644 index 0000000..89fd595 --- /dev/null +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -0,0 +1,40 @@ +--- +# e2e-ci-runner-rbac.yaml +# +# Grants the GitHub Actions runner's service account (Arc Runners) the minimum +# permissions needed to deploy/teardown an E2E Headlamp instance in the +# privilegedescalation-dev namespace. +# +# Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: e2e-ci-runner + namespace: privilegedescalation-dev +rules: + - apiGroups: [""] + resources: ["configmaps", "serviceaccounts", "events"] + verbs: ["get", "list", "create", "delete"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "create", "delete"] + - apiGroups: [""] + resources: ["services"] + verbs: ["get", "create", "delete"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: e2e-ci-runner + namespace: privilegedescalation-dev +subjects: + - kind: ServiceAccount + name: runners-privilegedescalation-gha-rs-no-permission + namespace: arc-runners +roleRef: + kind: Role + name: e2e-ci-runner + apiGroup: rbac.authorization.k8s.io \ No newline at end of file