From 9249f151a87c40e6625862a3192124b6e84dde9d Mon Sep 17 00:00:00 2001
From: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Date: Fri, 20 Mar 2026 22:29:00 +0000
Subject: [PATCH] fix: add ClusterRole for runner SA to verify headlamp-e2e
 namespace

kubectl get namespace is cluster-scoped and requires a ClusterRole.
The runner SA only had a namespaced Role, causing E2E to fail with
Forbidden even when the namespace existed. Adds a minimal ClusterRole
restricted to get on headlamp-e2e only.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 deployment/e2e-ci-runner-rbac.yaml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index 9cac04e..511d6dd 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -45,3 +45,29 @@ roleRef:
   kind: Role
   name: e2e-ci-runner
   apiGroup: rbac.authorization.k8s.io
+---
+# ClusterRole to allow the runner SA to verify the headlamp-e2e namespace
+# exists before attempting namespaced operations. kubectl get namespace is a
+# cluster-scoped operation not coverable by a namespaced Role.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: e2e-ci-namespace-reader
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get"]
+    resourceNames: ["headlamp-e2e"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: e2e-ci-namespace-reader-binding
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: ClusterRole
+  name: e2e-ci-namespace-reader
+  apiGroup: rbac.authorization.k8s.io