From 47475e33577f5b73cfa57da87db833c221e3fc34 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 15:20:03 +0000 Subject: [PATCH] fix(e2e): make Polaris e2e CI self-sufficient with RBAC in workflow Canonical fix for PRI-513: resolve Polaris e2e CI failures by applying RBAC directly in the workflow rather than depending on pre-existing Flux-managed RBAC that may not have converged. Changes: - .github/workflows/e2e.yaml: add workflow steps to apply both e2e-ci-runner-rbac.yaml (headlamp-dev namespace) and polaris-rbac.yaml (polaris namespace) before the pre-flight check, plus a pre-flight RBAC verification step - deployment/e2e-ci-runner-rbac.yaml: add a Role + RoleBinding for the polaris namespace so the CI runner can apply polaris-rbac.yaml This is the canonical form combining the best elements of stacking PRs: - Self-sufficient workflow (no external RBAC dependency) - RBAC pre-flight check for fast failure - read-write permissions for polaris namespace (same as main stacks) Supersedes: PRs #122, #124, #125 Co-Authored-By: Paperclip --- .github/workflows/e2e.yaml | 20 ++++++++++++++++++++ deployment/e2e-ci-runner-rbac.yaml | 28 ++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 7ee92ce..704ecc0 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -45,6 +45,26 @@ jobs: - name: Setup kubectl uses: azure/setup-kubectl@v4 + - name: Apply RBAC for E2E pipeline + run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml + + - name: Apply Polaris dashboard RBAC + run: kubectl apply -f deployment/polaris-rbac.yaml + + - name: RBAC pre-flight check + run: | + echo "Checking RBAC resources..." + MISSING=0 + kubectl get role polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1 + kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1 + kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null || MISSING=1 + if [ "$MISSING" -eq 0 ]; then + echo "RBAC pre-flight check passed." + else + echo "::error::RBAC pre-flight check failed. Missing required permissions." + exit 1 + fi + - name: Install dependencies run: npm ci diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index e6bf4ff..069c5ee 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -30,6 +30,34 @@ rules: - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] + # Apply Polaris dashboard RBAC in the polaris namespace + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings"] + verbs: ["get", "list", "create", "update", "patch", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: e2e-ci-runner-polaris + namespace: polaris +rules: + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings"] + verbs: ["get", "list", "create", "update", "patch", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: e2e-ci-runner-polaris + namespace: polaris +subjects: + - kind: ServiceAccount + name: runners-privilegedescalation-gha-rs-no-permission + namespace: arc-runners +roleRef: + kind: Role + name: e2e-ci-runner-polaris + apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding