fix(e2e): grant cross-namespace RBAC for Polaris dashboard proxy access
The E2E Headlamp instance runs in privilegedescalation-dev but needs to proxy to the Polaris dashboard service in the polaris namespace to fetch audit results. Root cause: - E2E tests consistently fail with 'Polaris dashboard not reachable' because the in-cluster Headlamp (running as ServiceAccount headlamp-e2e-test in privilegedescalation-dev) lacks permission to proxy to polaris-dashboard in the polaris namespace - The default RBAC only covered the privilegedescalation-dev namespace - The error manifests as a 503 from the Kubernetes API proxy, causing the loading spinner to persist indefinitely in E2E runs Fix: - Add a new Role + RoleBinding for the polaris namespace that grants get+proxy on the polaris-dashboard service - The ARC runner's ServiceAccount (runners-privilegedescalation-gha-rs-no-permission in arc-runners) is the subject for both bindings, matching the existing pattern - Add a pre-flight check in deploy-e2e-headlamp.sh that warns if Polaris proxy RBAC is missing, so CI output makes the issue self-diagnosing Note: This RBAC change must be applied to the cluster before E2E runs will pass. The deploy script detects and warns about the missing permission. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Hugh Hackman
@@ -44,3 +44,30 @@ roleRef:
|
||||
kind: Role
|
||||
name: e2e-ci-runner
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: e2e-ci-runner
|
||||
namespace: polaris
|
||||
rules:
|
||||
# E2E Headlamp needs to proxy to the Polaris dashboard service to fetch audit results.
|
||||
# The service account in privilegedescalation-dev is granted get+proxy on polaris-dashboard.
|
||||
- apiGroups: [""]
|
||||
resources: ["services/proxy"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["polaris-dashboard"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: e2e-ci-runner-binding
|
||||
namespace: polaris
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: runners-privilegedescalation-gha-rs-no-permission
|
||||
namespace: arc-runners
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: e2e-ci-runner
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
@@ -39,6 +39,13 @@ if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/nul
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Checking RBAC for Polaris dashboard proxy access..."
|
||||
if ! kubectl auth can-i get services/proxy -n polaris --quiet 2>/dev/null; then
|
||||
echo "WARNING: Missing RBAC — cannot proxy to polaris-dashboard in namespace 'polaris'." >&2
|
||||
echo " E2E tests that depend on Polaris data may fail." >&2
|
||||
echo " Apply the polaris namespace RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
|
||||
fi
|
||||
|
||||
echo "=== E2E Headlamp Deployment ==="
|
||||
echo " Image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}"
|
||||
echo " Namespace: $E2E_NAMESPACE"
|
||||
|
||||
Reference in New Issue
Block a user