privilegedescalation/headlamp-intel-gpu-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases 9 Wiki Activity
74 Commits 28 Branches 9 Tags
fix/pri-550-add-e2e-rbac
Commit Graph

5 Commits

Author SHA1 Message Date
Chris Farhood 6fa4745aa1 docs: mark RBAC manifest as Flux-managed reference copy 2026-05-05 01:09:30 +00:00
Chris Farhood 8027e702d8 Fix RBAC manifest per QA review (PRI-554) 
- Remove rbac.authorization.k8s.io rule (create/delete on rolebindings
  was privilege escalation; no RBAC self-management needed)
- Remove self-applying kubectl apply step from e2e workflow
  (runner cannot grant its own permissions; RBAC must be pre-applied
  via Flux from infra repo)

Reviewed-by: Hugh Hackman
 2026-05-05 00:50:35 +00:00
Chris Farhood c815b2fd44 fix: remove create/delete on roles/rolebindings per QA review 
Removes privilege-escalation permissions from RBAC manifest per PRI-554
QA review. The rbac.authorization.k8s.io rule now grants only
get/list/watch on rolebindings (needed for deploy script to verify
existing bindings exist).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-05 00:35:48 +00:00
Chris Farhood 4942692e64 fix: add roles/rolebindings permissions to RBAC manifest (PRI-550) 
kubectl apply requires get/list/watch on roles/rolebindings to check
existing state before patching. Without these, apply fails with
Forbidden on the GET call itself.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-04 19:40:05 +00:00
Chris Farhood 2645b62290 Add RBAC manifest for E2E CI runner 
Adds deployment/e2e-ci-runner-rbac.yaml which grants the Arc Runners
service account the minimum permissions needed to deploy/teardown an
E2E Headlamp instance in privilegedescalation-dev.

Fixes PRI-550.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-04 19:28:36 +00:00