diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index 9cac04e..511d6dd 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -45,3 +45,29 @@ roleRef:
   kind: Role
   name: e2e-ci-runner
   apiGroup: rbac.authorization.k8s.io
+---
+# ClusterRole to allow the runner SA to verify the headlamp-e2e namespace
+# exists before attempting namespaced operations. kubectl get namespace is a
+# cluster-scoped operation not coverable by a namespaced Role.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: e2e-ci-namespace-reader
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get"]
+    resourceNames: ["headlamp-e2e"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: e2e-ci-namespace-reader-binding
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: ClusterRole
+  name: e2e-ci-namespace-reader
+  apiGroup: rbac.authorization.k8s.io