Add polaris namespace RBAC for CI runner

The E2E workflow now applies deployment/polaris-rbac.yaml before
the pre-flight check to make the workflow self-sufficient. This requires
the CI runner to have permissions in the polaris namespace.

Before: CI runner could only READ roles/rolebindings in polaris (for
the detection step). After: CI runner can APPLY the RBAC manifest
and manage the resulting Role + RoleBinding.

This is a pure infrastructure/RBAC change — no application code modified.

Fixes: PRI-324

Co-Authored-By: Paperclip <noreply@paperclip.ing>

deployment/e2e-ci-runner-rbac.yaml

@@ -31,6 +31,41 @@ rules:
     resources: ["serviceaccounts/token"]
     verbs: ["create"]
 ---
+# RBAC for CI runner to apply Polaris dashboard RBAC in the polaris namespace.
+# The E2E workflow runs `kubectl apply -f deployment/polaris-rbac.yaml` before
+# the pre-flight check to make the workflow self-sufficient.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner-polaris
+  namespace: polaris
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner-polaris
+  apiGroup: rbac.authorization.k8s.io
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-polaris-binding
+  namespace: polaris
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner-polaris
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata: