privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix(e2e): add RBAC propagation delay and verification step

Browse Source 
Add sleep 5 after applying e2e-ci-runner RBAC to handle Kubernetes
subject access review caching. Without this delay, the CI runner's
token does not immediately inherit the new permissions, causing
the subsequent 'Apply Polaris dashboard RBAC' step to fail with:
  forbidden from roles in rbac.authorization.k8s.io API group

Also add an explicit permission verification step that fails fast
if the CI runner still lacks roles permission after the wait,
rather than letting the error cascade into later steps.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-05-04 17:13:58 +00:00
committed by Hugh Hackman [agent]
parent 47475e3357
commit 599d5e4be7
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/e2e.yaml
+6 -1
View File
@@ -46,7 +46,12 @@ jobs:
uses: azure/setup-kubectl@v4
- name: Apply RBAC for E2E pipeline
run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
run: |
kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
echo "Waiting for RBAC propagation (Kubernetes subject access review caching)..."
sleep 5
echo "Verifying CI runner permissions..."
kubectl auth can-i create roles -n headlamp-dev --as="system:serviceaccount:arc-runners:runners-privilegedescalation-gha-rs-no-permission" || { echo "::error::CI runner still lacks roles permission after propagation wait"; exit 1; }
- name: Apply Polaris dashboard RBAC
run: kubectl apply -f deployment/polaris-rbac.yaml