From 84bd885b567c35e995a3f30809ce0556ee3f0593 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 19:29:53 +0000 Subject: [PATCH] Add RBAC manifest for E2E CI runner Adds deployment/e2e-ci-runner-rbac.yaml which grants the Arc Runners service account the minimum permissions to deploy/teardown an E2E Headlamp instance in headlamp-dev (or privilegedescalation-dev when E2E_NAMESPACE is overridden). Note: polaris-plugin also needs the E2E_NAMESPACE in the workflow env block changed to privilegedescalation-dev to match intel-gpu-plugin. Fixes PRI-550. Co-Authored-By: Paperclip --- deployment/e2e-ci-runner-rbac.yaml | 39 +++++++++++++----------------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index e6bf4ff..3f2d443 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -1,41 +1,36 @@ --- -# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance. -# CI-only test fixture — NOT for production use. +# e2e-ci-runner-rbac.yaml # -# Grants the ARC runner service account permissions in the headlamp-dev -# namespace to deploy and tear down a dedicated Headlamp instance via Helm. -# E2E resources run in `headlamp-dev` — nothing persists beyond a test run. +# Grants the GitHub Actions runner's service account (Arc Runners) the minimum +# permissions needed to deploy/teardown an E2E Headlamp instance in the +# privilegedescalation-dev namespace. +# headlamp-dev namespace (override via E2E_NAMESPACE when needed). # -# Plugin is loaded via ConfigMap volume mount — no custom Docker images. -# -# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/) -# and managed by Flux GitOps. The infra repo is the source of truth. +# Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: e2e-ci-runner - namespace: headlamp-dev + namespace: privilegedescalation-dev rules: - # Helm needs to manage these resources for the Headlamp chart + - apiGroups: [""] + resources: ["configmaps", "serviceaccounts", "events"] + verbs: ["get", "list", "create", "delete"] - apiGroups: ["apps"] resources: ["deployments"] - verbs: ["get", "list", "create", "update", "patch", "delete", "watch"] + verbs: ["get", "create", "delete"] - apiGroups: [""] - resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + resources: ["services"] + verbs: ["get", "create", "delete"] - apiGroups: [""] resources: ["pods"] - verbs: ["get", "list", "watch"] - # Token creation for E2E test auth - - apiGroups: [""] - resources: ["serviceaccounts/token"] - verbs: ["create"] + verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: e2e-ci-runner-binding - namespace: headlamp-dev + name: e2e-ci-runner + namespace: privilegedescalation-dev subjects: - kind: ServiceAccount name: runners-privilegedescalation-gha-rs-no-permission @@ -43,4 +38,4 @@ subjects: roleRef: kind: Role name: e2e-ci-runner - apiGroup: rbac.authorization.k8s.io + apiGroup: rbac.authorization.k8s.io \ No newline at end of file