privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix: move E2E test namespace from default to privilegedescalation-dev

Browse Source 
Per org RBAC policy, development/testing Headlamp instances must run in
`privilegedescalation-dev`, not `default`. Agents only have read-write
access in `privilegedescalation` and `privilegedescalation-dev` — the
`default` namespace is outside our permitted scope.

Updated:
- deployment/e2e-ci-runner-rbac.yaml: Role/RoleBinding now targets privilegedescalation-dev
- deployment/headlamp-e2e-values.yaml: comment updated
- scripts/deploy-e2e-headlamp.sh: default namespace changed
- scripts/teardown-e2e-headlamp.sh: default namespace changed

Note: .github/workflows/e2e.yaml still sets E2E_NAMESPACE: default and
needs a separate update — delegated to Hugh Hackman (workflow owner).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Gandalf the Greybeard
2026-03-21 19:51:18 +00:00
parent a5398e8409
commit 6e9c97593c
4 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deployment/e2e-ci-runner-rbac.yaml
+5 -5
View File
@@ -2,9 +2,9 @@
# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
# CI-only test fixture — NOT for production use.
#
# Grants the ARC runner service account permissions in the default namespace
# to deploy and tear down a dedicated Headlamp instance via Helm.
# E2E resources run in `default` — nothing persists beyond a test run.
# Grants the ARC runner service account permissions in the privilegedescalation-dev
# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
#
# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
#
@@ -14,7 +14,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner
namespace: default
namespace: privilegedescalation-dev
rules:
# Helm needs to manage these resources for the Headlamp chart
- apiGroups: ["apps"]
@@ -35,7 +35,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-binding
namespace: default
namespace: privilegedescalation-dev
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
deployment/headlamp-e2e-values.yaml
+1 -1
View File
@@ -7,7 +7,7 @@
#
# Usage:
# helm install headlamp-e2e headlamp/headlamp \
# -n default \
# -n privilegedescalation-dev \
# -f deployment/headlamp-e2e-values.yaml \
# --set image.registry=ghcr.io \
# --set image.repository=headlamp-k8s/headlamp \