fix(e2e): apply RBAC in workflow before pre-flight check

The E2E workflow now applies both RBAC manifests (e2e-ci-runner-rbac.yaml
and polaris-rbac.yaml) in the same step, then verifies permissions with a
two-namespace pre-flight check. This makes the workflow self-sufficient — no
manual RBAC application or cluster-prep step required before CI runs.

Changes:
- Workflow now applies e2e-ci-runner-rbac.yaml + polaris-rbac.yaml before
  the pre-flight check (previously only applied polaris-rbac.yaml and only
  checked, not applied, e2e-ci-runner-rbac.yaml)
- Pre-flight check verifies can-i delete configmaps in privilegedescalation-dev
  AND can-i get services/proxy in polaris before proceeding
- e2e-ci-runner-rbac.yaml now includes Role + RoleBinding for the polaris
  namespace so the CI runner can apply the dashboard proxy RBAC

Fixes PRI-264 / PRI-324.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/e2e.yaml

@@ -45,6 +45,25 @@ jobs:
       - name: Setup kubectl
         uses: azure/setup-kubectl@v4
 
+      - name: Apply RBAC for E2E workflow
+        run: |
+          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+          kubectl apply -f deployment/polaris-rbac.yaml
+
+      - name: RBAC pre-flight check
+        run: |
+          echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
+          if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
+            echo "::error::RBAC not applied or insufficient in ${E2E_NAMESPACE} — cannot proceed."
+            exit 1
+          fi
+          echo "Checking RBAC permissions in polaris namespace..."
+          if ! kubectl auth can-i get services/proxy -n polaris --quiet 2>/dev/null; then
+            echo "::error::RBAC not applied or insufficient in polaris — cannot proceed."
+            exit 1
+          fi
+          echo "All RBAC pre-flight checks passed."
+
       - name: Install dependencies
         run: npm ci