Chris Farhood
c1ad0063cc
kubectl apply requires get/list/watch on roles/rolebindings to check existing state before patching. Without these, apply fails with Forbidden on the GET call itself. Co-Authored-By: Paperclip <noreply@paperclip.ing>
43 lines
1.3 KiB
YAML
43 lines
1.3 KiB
YAML
---
|
|
# e2e-ci-runner-rbac.yaml
|
|
#
|
|
# Grants the GitHub Actions runner's service account (Arc Runners) the minimum
|
|
# permissions needed to deploy/teardown an E2E Headlamp instance in the
|
|
# privilegedescalation-dev namespace.
|
|
#
|
|
# Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: e2e-ci-runner
|
|
namespace: privilegedescalation-dev
|
|
rules:
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
|
resources: ["roles", "rolebindings"]
|
|
verbs: ["get", "list", "watch", "create", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["configmaps", "serviceaccounts", "events"]
|
|
verbs: ["get", "list", "create", "delete"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["get", "create", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["services"]
|
|
verbs: ["get", "create", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "list"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: e2e-ci-runner
|
|
namespace: privilegedescalation-dev
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: runners-privilegedescalation-gha-rs-no-permission
|
|
namespace: arc-runners
|
|
roleRef:
|
|
kind: Role
|
|
name: e2e-ci-runner
|
|
apiGroup: rbac.authorization.k8s.io |