From 1bf5c2431c4f2537e398e5503630a01e965948a6 Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Sat, 21 Mar 2026 03:15:06 +0000 Subject: [PATCH] ci: add RBAC preflight check to deploy-e2e-headlamp.sh Fails fast with a clear error and remediation hint if the runner SA lacks configmap delete permission, instead of dying mid-deploy. Co-Authored-By: Claude Sonnet 4.6 --- scripts/deploy-e2e-headlamp.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh index e25c14b..08512cc 100755 --- a/scripts/deploy-e2e-headlamp.sh +++ b/scripts/deploy-e2e-headlamp.sh @@ -32,6 +32,14 @@ if [ ! -d "$DIST_DIR" ]; then exit 1 fi +# --- Preflight: verify RBAC before touching the cluster --- +echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..." +if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then + echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2 + echo " Apply RBAC first: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2 + exit 1 +fi + echo "=== E2E Headlamp Deployment ===" echo " Image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}" echo " Namespace: $E2E_NAMESPACE"