infra: add RBAC manifest for E2E runner Headlamp deploy access
The self-hosted GitHub Actions runner SA needs pod list/get and pods/exec permissions in kube-system to deploy plugin files to Headlamp during E2E tests. Without this, the deploy step fails with a 403 Forbidden error. A cluster admin must apply this manifest to unblock E2E. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
@@ -0,0 +1,35 @@
|
||||
# RBAC for GitHub Actions E2E runner to deploy plugins to Headlamp.
|
||||
#
|
||||
# The self-hosted runner SA needs to:
|
||||
# - list/get pods in kube-system (to find the Headlamp pod)
|
||||
# - exec into the Headlamp pod (to copy plugin files and restart)
|
||||
#
|
||||
# Apply with: kubectl apply -f deployment/e2e-runner-rbac.yaml
|
||||
#
|
||||
# Adjust the ServiceAccount name/namespace if your runner setup differs.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: e2e-runner-headlamp-deploy
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["list", "get"]
|
||||
- apiGroups: [""]
|
||||
resources: ["pods/exec"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: e2e-runner-headlamp-deploy
|
||||
namespace: kube-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: local-ubuntu-latest-gha-rs-no-permission
|
||||
namespace: arc-runners
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: e2e-runner-headlamp-deploy
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
Reference in New Issue
Block a user