ci: add RBAC manifest for Polaris dashboard service proxy access
E2E tests fail with 403 because users lack RBAC to proxy to the Polaris dashboard service. The plugin reads audit data via the K8s service proxy at /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/. Add deployment/polaris-rbac.yaml with: - Role granting `get` on `services/proxy` for polaris-dashboard - RoleBinding granting this to all authenticated users (read-only) The E2E workflow also needs a `kubectl apply -f deployment/polaris-rbac.yaml` step added before running tests. This requires the `workflows` permission on the GitHub App, which is tracked separately. Refs: PRI-28 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
gandalf-the-greybeard[bot]
@@ -0,0 +1,28 @@
|
||||
# RBAC to allow authenticated users to proxy to the Polaris dashboard service.
|
||||
# The polaris plugin reads audit data via the Kubernetes service proxy:
|
||||
# /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/results.json
|
||||
# Without this Role + RoleBinding, users get a 403 when Headlamp proxies the request.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: polaris-dashboard-proxy-reader
|
||||
namespace: polaris
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services/proxy"]
|
||||
resourceNames: ["polaris-dashboard", "http:polaris-dashboard:80"]
|
||||
verbs: ["get"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: polaris-dashboard-proxy-reader
|
||||
namespace: polaris
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: system:authenticated
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: polaris-dashboard-proxy-reader
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
Reference in New Issue
Block a user