From d00fabbd58e49f2581a475183cebe506a8079774 Mon Sep 17 00:00:00 2001 From: "gandalf-the-greybeard[bot]" Date: Sun, 8 Mar 2026 14:14:52 +0000 Subject: [PATCH] ci: add RBAC manifest for Polaris dashboard service proxy access E2E tests fail with 403 because users lack RBAC to proxy to the Polaris dashboard service. The plugin reads audit data via the K8s service proxy at /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/. Add deployment/polaris-rbac.yaml with: - Role granting `get` on `services/proxy` for polaris-dashboard - RoleBinding granting this to all authenticated users (read-only) The E2E workflow also needs a `kubectl apply -f deployment/polaris-rbac.yaml` step added before running tests. This requires the `workflows` permission on the GitHub App, which is tracked separately. Refs: PRI-28 Co-Authored-By: Claude Opus 4.6 --- deployment/polaris-rbac.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 deployment/polaris-rbac.yaml diff --git a/deployment/polaris-rbac.yaml b/deployment/polaris-rbac.yaml new file mode 100644 index 0000000..a3b3629 --- /dev/null +++ b/deployment/polaris-rbac.yaml @@ -0,0 +1,28 @@ +# RBAC to allow authenticated users to proxy to the Polaris dashboard service. +# The polaris plugin reads audit data via the Kubernetes service proxy: +# /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/results.json +# Without this Role + RoleBinding, users get a 403 when Headlamp proxies the request. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: polaris-dashboard-proxy-reader + namespace: polaris +rules: + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["polaris-dashboard", "http:polaris-dashboard:80"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: polaris-dashboard-proxy-reader + namespace: polaris +subjects: + - kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: polaris-dashboard-proxy-reader + apiGroup: rbac.authorization.k8s.io