privilegedescalation/headlamp-intel-gpu-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases 9 Wiki Activity

Reference shared infra RBAC (PRI-750) #66

Closed
privilegedescalation-engineer[bot] wants to merge 10 commits from gandalf/reference-shared-infra-rbac-pri-750 into main
pull from: gandalf/reference-shared-infra-rbac-pri-750
merge into: privilegedescalation:main
Conversation 5 Commits 10 Files Changed 4
+26 -9

10 Commits

Author SHA1 Message Date
Chris Farhood f1a87fc079 Reference shared infra RBAC in deployment scripts 
PRI-750: update plugin repos to reference shared infra RBAC (PRI-695 follow-up)

- deployment/e2e-ci-runner-rbac.yaml: replaced duplicate manifest with
  reference comment pointing to privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
- scripts/deploy-e2e-headlamp.sh: updated RBAC preflight comment and error
  message to reference infra path
- scripts/teardown-e2e-headlamp.sh: added RBAC reference comment

Infra RBAC is the source of truth managed by Flux GitOps. CI workflow
unchanged (Hugh owns .github/workflows/).
 2026-05-05 18:10:00 +00:00
Chris Farhood 83ae579729 fix: use headlamp-plugins-e2e namespace for E2E tests, revert workflow 
headlamp-dev is Flux-managed (kustomization/headlamp-dev reconciles), causing
E2E deployment conflicts and test failures. Use a dedicated headlamp-plugins-e2e
namespace instead. Reverted .github/workflows/e2e.yaml — Hugh owns CI/CD; will
file a child issue to update the workflow namespace.
 2026-05-05 18:10:00 +00:00
Chris Farhood 7bccf91ac7 Replace privilegedescalation-dev with headlamp-dev namespace 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-05 18:10:00 +00:00
Chris Farhood 9fbc1d569f docs: mark RBAC manifest as Flux-managed reference copy 2026-05-05 18:10:00 +00:00
Chris Farhood 105f6cfd6b Fix RBAC manifest per QA review (PRI-554) 
- Remove rbac.authorization.k8s.io rule (create/delete on rolebindings
  was privilege escalation; no RBAC self-management needed)
- Remove self-applying kubectl apply step from e2e workflow
  (runner cannot grant its own permissions; RBAC must be pre-applied
  via Flux from infra repo)

Reviewed-by: Hugh Hackman
 2026-05-05 18:10:00 +00:00
Chris Farhood c43e006c64 fix: remove create/delete on roles/rolebindings per QA review 
Removes privilege-escalation permissions from RBAC manifest per PRI-554
QA review. The rbac.authorization.k8s.io rule now grants only
get/list/watch on rolebindings (needed for deploy script to verify
existing bindings exist).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-05 18:10:00 +00:00
Chris Farhood ff5ef7f57b chore: re-trigger E2E with updated infra RBAC (infra fix applied) 2026-05-05 18:10:00 +00:00
Chris Farhood c1ad0063cc fix: add roles/rolebindings permissions to RBAC manifest (PRI-550) 
kubectl apply requires get/list/watch on roles/rolebindings to check
existing state before patching. Without these, apply fails with
Forbidden on the GET call itself.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-05 18:10:00 +00:00
Chris Farhood 7bc5b1324b fix: add RBAC apply step to E2E workflow (PRI-550) 
Adds 'kubectl apply -f deployment/e2e-ci-runner-rbac.yaml' step
to the E2E workflow before the deploy script runs.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-05 18:10:00 +00:00
Chris Farhood c8242599f9 Add RBAC manifest for E2E CI runner 
Adds deployment/e2e-ci-runner-rbac.yaml which grants the Arc Runners
service account the minimum permissions needed to deploy/teardown an
E2E Headlamp instance in privilegedescalation-dev.

Fixes PRI-550.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-05 18:10:00 +00:00