From 599d5e4be7897000271d32ca01263e268167a983 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 17:13:58 +0000 Subject: [PATCH] fix(e2e): add RBAC propagation delay and verification step Add sleep 5 after applying e2e-ci-runner RBAC to handle Kubernetes subject access review caching. Without this delay, the CI runner's token does not immediately inherit the new permissions, causing the subsequent 'Apply Polaris dashboard RBAC' step to fail with: forbidden from roles in rbac.authorization.k8s.io API group Also add an explicit permission verification step that fails fast if the CI runner still lacks roles permission after the wait, rather than letting the error cascade into later steps. Co-Authored-By: Paperclip --- .github/workflows/e2e.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 704ecc0..2f6df17 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -46,7 +46,12 @@ jobs: uses: azure/setup-kubectl@v4 - name: Apply RBAC for E2E pipeline - run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml + run: | + kubectl apply -f deployment/e2e-ci-runner-rbac.yaml + echo "Waiting for RBAC propagation (Kubernetes subject access review caching)..." + sleep 5 + echo "Verifying CI runner permissions..." + kubectl auth can-i create roles -n headlamp-dev --as="system:serviceaccount:arc-runners:runners-privilegedescalation-gha-rs-no-permission" || { echo "::error::CI runner still lacks roles permission after propagation wait"; exit 1; } - name: Apply Polaris dashboard RBAC run: kubectl apply -f deployment/polaris-rbac.yaml