privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix(e2e): make workflow self-sufficient with RBAC apply steps (PRI-324)

Browse Source 
- Apply e2e-ci-runner RBAC + polaris RBAC in workflow before pre-flight check
- Add e2e-ci-runner-polaris Role+RoleBinding so CI runner can manage polaris namespace RBAC
- Add roles/rolebindings CRUD to e2e-ci-runner Role (headlamp-dev namespace)
- Collapsed MISSING_ROLE/MISSING_ROLEBINDING into single MISSING flag (QA nit)
- Drop non-standard --quiet flag on kubectl auth can-i (QA nit)

Address PRI-324 QA feedback: workflow now applies its own RBAC so the pre-flight
check is meaningful and the green path is achievable.
This commit is contained in:
Chris Farhood
2026-05-05 19:29:47 +00:00
committed by Gandalf the Greybeard [agent]
parent aa1db9215a
commit d126010eaf
3 changed files with 155 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deployment/e2e-ci-runner-rbac.yaml
+28
View File
@@ -30,6 +30,34 @@ rules:
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
# Apply Polaris dashboard RBAC in the polaris namespace
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner-polaris
namespace: polaris
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-polaris
namespace: polaris
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner-polaris
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding