From 2645b62290d70085f756a4167d3412445aa5ed87 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 19:28:36 +0000 Subject: [PATCH 1/7] Add RBAC manifest for E2E CI runner Adds deployment/e2e-ci-runner-rbac.yaml which grants the Arc Runners service account the minimum permissions needed to deploy/teardown an E2E Headlamp instance in privilegedescalation-dev. Fixes PRI-550. Co-Authored-By: Paperclip --- deployment/e2e-ci-runner-rbac.yaml | 40 ++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 deployment/e2e-ci-runner-rbac.yaml diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml new file mode 100644 index 0000000..89fd595 --- /dev/null +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -0,0 +1,40 @@ +--- +# e2e-ci-runner-rbac.yaml +# +# Grants the GitHub Actions runner's service account (Arc Runners) the minimum +# permissions needed to deploy/teardown an E2E Headlamp instance in the +# privilegedescalation-dev namespace. +# +# Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: e2e-ci-runner + namespace: privilegedescalation-dev +rules: + - apiGroups: [""] + resources: ["configmaps", "serviceaccounts", "events"] + verbs: ["get", "list", "create", "delete"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "create", "delete"] + - apiGroups: [""] + resources: ["services"] + verbs: ["get", "create", "delete"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: e2e-ci-runner + namespace: privilegedescalation-dev +subjects: + - kind: ServiceAccount + name: runners-privilegedescalation-gha-rs-no-permission + namespace: arc-runners +roleRef: + kind: Role + name: e2e-ci-runner + apiGroup: rbac.authorization.k8s.io \ No newline at end of file -- 2.52.0 From 645cd742a1dc6bb609fea362c91bf9a8729a7bb2 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 19:39:12 +0000 Subject: [PATCH 2/7] fix: add RBAC apply step to E2E workflow (PRI-550) Adds 'kubectl apply -f deployment/e2e-ci-runner-rbac.yaml' step to the E2E workflow before the deploy script runs. Co-Authored-By: Paperclip --- .github/workflows/e2e.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 37f33a9..bff1624 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -51,6 +51,9 @@ jobs: - name: Build plugin run: npx @kinvolk/headlamp-plugin build + - name: Apply RBAC for E2E runner + run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml + - name: Deploy E2E Headlamp instance run: scripts/deploy-e2e-headlamp.sh -- 2.52.0 From 4942692e64c87bf62f87d97028798efc0733bb8b Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 19:40:05 +0000 Subject: [PATCH 3/7] fix: add roles/rolebindings permissions to RBAC manifest (PRI-550) kubectl apply requires get/list/watch on roles/rolebindings to check existing state before patching. Without these, apply fails with Forbidden on the GET call itself. Co-Authored-By: Paperclip --- deployment/e2e-ci-runner-rbac.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 89fd595..3b252eb 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -12,6 +12,9 @@ metadata: name: e2e-ci-runner namespace: privilegedescalation-dev rules: + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings"] + verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["configmaps", "serviceaccounts", "events"] verbs: ["get", "list", "create", "delete"] -- 2.52.0 From 97ef7788e2d85ae5118be0ea314323c590eae007 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 00:26:32 +0000 Subject: [PATCH 4/7] chore: re-trigger E2E with updated infra RBAC (infra fix applied) -- 2.52.0 From c815b2fd4471f83ed64bb46830366f5648638910 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 00:35:38 +0000 Subject: [PATCH 5/7] fix: remove create/delete on roles/rolebindings per QA review Removes privilege-escalation permissions from RBAC manifest per PRI-554 QA review. The rbac.authorization.k8s.io rule now grants only get/list/watch on rolebindings (needed for deploy script to verify existing bindings exist). Co-Authored-By: Paperclip --- deployment/e2e-ci-runner-rbac.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 3b252eb..80f4638 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -13,8 +13,8 @@ metadata: namespace: privilegedescalation-dev rules: - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles", "rolebindings"] - verbs: ["get", "list", "watch", "create", "delete"] + resources: ["rolebindings"] + verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "serviceaccounts", "events"] verbs: ["get", "list", "create", "delete"] @@ -40,4 +40,4 @@ subjects: roleRef: kind: Role name: e2e-ci-runner - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io -- 2.52.0 From 8027e702d82ceaf55610bff613a34fc6605cec13 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 00:50:35 +0000 Subject: [PATCH 6/7] Fix RBAC manifest per QA review (PRI-554) - Remove rbac.authorization.k8s.io rule (create/delete on rolebindings was privilege escalation; no RBAC self-management needed) - Remove self-applying kubectl apply step from e2e workflow (runner cannot grant its own permissions; RBAC must be pre-applied via Flux from infra repo) Reviewed-by: Hugh Hackman --- .github/workflows/e2e.yaml | 3 --- deployment/e2e-ci-runner-rbac.yaml | 3 --- 2 files changed, 6 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index bff1624..37f33a9 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -51,9 +51,6 @@ jobs: - name: Build plugin run: npx @kinvolk/headlamp-plugin build - - name: Apply RBAC for E2E runner - run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml - - name: Deploy E2E Headlamp instance run: scripts/deploy-e2e-headlamp.sh diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 80f4638..13e874b 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -12,9 +12,6 @@ metadata: name: e2e-ci-runner namespace: privilegedescalation-dev rules: - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "serviceaccounts", "events"] verbs: ["get", "list", "create", "delete"] -- 2.52.0 From 6fa4745aa15138228c152c7ccedc7e609b020c7f Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 01:09:30 +0000 Subject: [PATCH 7/7] docs: mark RBAC manifest as Flux-managed reference copy --- deployment/e2e-ci-runner-rbac.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 13e874b..fc47417 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -5,7 +5,9 @@ # permissions needed to deploy/teardown an E2E Headlamp instance in the # privilegedescalation-dev namespace. # -# Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs. +# RBAC is managed via Flux from privilegedescalation/infra — do not apply manually. +# This manifest is a reference copy in the plugin repo. + apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: -- 2.52.0