headlamp-dev is Flux-managed (kustomization/headlamp-dev reconciles), causing
E2E deployment conflicts and test failures. Use a dedicated headlamp-plugins-e2e
namespace instead. Reverted .github/workflows/e2e.yaml — Hugh owns CI/CD; will
file a child issue to update the workflow namespace.
- Remove rbac.authorization.k8s.io rule (create/delete on rolebindings
was privilege escalation; no RBAC self-management needed)
- Remove self-applying kubectl apply step from e2e workflow
(runner cannot grant its own permissions; RBAC must be pre-applied
via Flux from infra repo)
Reviewed-by: Hugh Hackman
Removes privilege-escalation permissions from RBAC manifest per PRI-554
QA review. The rbac.authorization.k8s.io rule now grants only
get/list/watch on rolebindings (needed for deploy script to verify
existing bindings exist).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
kubectl apply requires get/list/watch on roles/rolebindings to check
existing state before patching. Without these, apply fails with
Forbidden on the GET call itself.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds 'kubectl apply -f deployment/e2e-ci-runner-rbac.yaml' step
to the E2E workflow before the deploy script runs.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds deployment/e2e-ci-runner-rbac.yaml which grants the Arc Runners
service account the minimum permissions needed to deploy/teardown an
E2E Headlamp instance in privilegedescalation-dev.
Fixes PRI-550.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Chris Farhood