infra: add RBAC manifest for E2E runner Headlamp deploy access
The self-hosted GitHub Actions runner SA needs pod list/get and pods/exec permissions in kube-system to deploy plugin files to Headlamp during E2E tests. Without this, the deploy step fails with a 403 Forbidden error. A cluster admin must apply this manifest to unblock E2E. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
@@ -0,0 +1,35 @@
|
|||||||
|
# RBAC for GitHub Actions E2E runner to deploy plugins to Headlamp.
|
||||||
|
#
|
||||||
|
# The self-hosted runner SA needs to:
|
||||||
|
# - list/get pods in kube-system (to find the Headlamp pod)
|
||||||
|
# - exec into the Headlamp pod (to copy plugin files and restart)
|
||||||
|
#
|
||||||
|
# Apply with: kubectl apply -f deployment/e2e-runner-rbac.yaml
|
||||||
|
#
|
||||||
|
# Adjust the ServiceAccount name/namespace if your runner setup differs.
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: e2e-runner-headlamp-deploy
|
||||||
|
namespace: kube-system
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods"]
|
||||||
|
verbs: ["list", "get"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods/exec"]
|
||||||
|
verbs: ["create"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: e2e-runner-headlamp-deploy
|
||||||
|
namespace: kube-system
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: local-ubuntu-latest-gha-rs-no-permission
|
||||||
|
namespace: arc-runners
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: e2e-runner-headlamp-deploy
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
Reference in New Issue
Block a user