fix(e2e): apply RBAC in workflow before pre-flight check
The E2E workflow now applies both RBAC manifests (e2e-ci-runner-rbac.yaml and polaris-rbac.yaml) in the same step, then verifies permissions with a two-namespace pre-flight check. This makes the workflow self-sufficient — no manual RBAC application or cluster-prep step required before CI runs. Changes: - Workflow now applies e2e-ci-runner-rbac.yaml + polaris-rbac.yaml before the pre-flight check (previously only applied polaris-rbac.yaml and only checked, not applied, e2e-ci-runner-rbac.yaml) - Pre-flight check verifies can-i delete configmaps in privilegedescalation-dev AND can-i get services/proxy in polaris before proceeding - e2e-ci-runner-rbac.yaml now includes Role + RoleBinding for the polaris namespace so the CI runner can apply the dashboard proxy RBAC Fixes PRI-264 / PRI-324. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
@@ -45,6 +45,25 @@ jobs:
|
|||||||
- name: Setup kubectl
|
- name: Setup kubectl
|
||||||
uses: azure/setup-kubectl@v4
|
uses: azure/setup-kubectl@v4
|
||||||
|
|
||||||
|
- name: Apply RBAC for E2E workflow
|
||||||
|
run: |
|
||||||
|
kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
|
||||||
|
kubectl apply -f deployment/polaris-rbac.yaml
|
||||||
|
|
||||||
|
- name: RBAC pre-flight check
|
||||||
|
run: |
|
||||||
|
echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
|
||||||
|
if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
|
||||||
|
echo "::error::RBAC not applied or insufficient in ${E2E_NAMESPACE} — cannot proceed."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "Checking RBAC permissions in polaris namespace..."
|
||||||
|
if ! kubectl auth can-i get services/proxy -n polaris --quiet 2>/dev/null; then
|
||||||
|
echo "::error::RBAC not applied or insufficient in polaris — cannot proceed."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "All RBAC pre-flight checks passed."
|
||||||
|
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: npm ci
|
run: npm ci
|
||||||
|
|
||||||
|
|||||||
@@ -44,3 +44,30 @@ roleRef:
|
|||||||
kind: Role
|
kind: Role
|
||||||
name: e2e-ci-runner
|
name: e2e-ci-runner
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
|
# RBAC for the CI runner to apply and verify Polaris dashboard RBAC.
|
||||||
|
# The E2E workflow applies deployment/polaris-rbac.yaml (Role + RoleBinding in polaris ns)
|
||||||
|
# and the pre-flight check verifies the proxy-reader role is present.
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: e2e-ci-runner-polaris
|
||||||
|
namespace: polaris
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
||||||
|
resources: ["roles", "rolebindings"]
|
||||||
|
verbs: ["get", "list", "create", "update", "patch", "delete"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: e2e-ci-runner-polaris-binding
|
||||||
|
namespace: polaris
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: runners-privilegedescalation-gha-rs-no-permission
|
||||||
|
namespace: arc-runners
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: e2e-ci-runner-polaris
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|||||||
Reference in New Issue
Block a user