privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix(e2e): apply RBAC in workflow before pre-flight check

Browse Source 
The E2E workflow now applies both RBAC manifests (e2e-ci-runner-rbac.yaml
and polaris-rbac.yaml) in the same step, then verifies permissions with a
two-namespace pre-flight check. This makes the workflow self-sufficient — no
manual RBAC application or cluster-prep step required before CI runs.

Changes:
- Workflow now applies e2e-ci-runner-rbac.yaml + polaris-rbac.yaml before
  the pre-flight check (previously only applied polaris-rbac.yaml and only
  checked, not applied, e2e-ci-runner-rbac.yaml)
- Pre-flight check verifies can-i delete configmaps in privilegedescalation-dev
  AND can-i get services/proxy in polaris before proceeding
- e2e-ci-runner-rbac.yaml now includes Role + RoleBinding for the polaris
  namespace so the CI runner can apply the dashboard proxy RBAC

Fixes PRI-264 / PRI-324.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-05-03 18:24:21 +00:00
committed by Hugh Hackman [agent]
parent 58c9597388
commit 3c6d77eb49
2 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/e2e.yaml
+19
View File
@@ -45,6 +45,25 @@ jobs:
- name: Setup kubectl
uses: azure/setup-kubectl@v4
- name: Apply RBAC for E2E workflow
run: |
kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
kubectl apply -f deployment/polaris-rbac.yaml
- name: RBAC pre-flight check
run: |
echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
echo "::error::RBAC not applied or insufficient in ${E2E_NAMESPACE} — cannot proceed."
exit 1
fi
echo "Checking RBAC permissions in polaris namespace..."
if ! kubectl auth can-i get services/proxy -n polaris --quiet 2>/dev/null; then
echo "::error::RBAC not applied or insufficient in polaris — cannot proceed."
exit 1
fi
echo "All RBAC pre-flight checks passed."
- name: Install dependencies
run: npm ci
deployment/e2e-ci-runner-rbac.yaml
+27
View File
@@ -44,3 +44,30 @@ roleRef:
kind: Role
name: e2e-ci-runner
apiGroup: rbac.authorization.k8s.io
---
# RBAC for the CI runner to apply and verify Polaris dashboard RBAC.
# The E2E workflow applies deployment/polaris-rbac.yaml (Role + RoleBinding in polaris ns)
# and the pre-flight check verifies the proxy-reader role is present.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner-polaris
namespace: polaris
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-polaris-binding
namespace: polaris
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner-polaris
apiGroup: rbac.authorization.k8s.io