From d5d16b2fe374a1ae9338321e1ad7f8dbc5076f16 Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Tue, 17 Mar 2026 12:41:24 +0000 Subject: [PATCH] fix(e2e): add cluster-scoped RBAC for CI runner The Headlamp Helm chart manages ClusterRole and ClusterRoleBinding resources. The CI runner SA needs cluster-level permissions to get/update these during helm upgrade. Added ClusterRole and ClusterRoleBinding alongside the existing namespace-scoped Role. Co-Authored-By: Paperclip --- deployment/e2e-ci-runner-rbac.yaml | 36 +++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 90ee671..ee1fe3f 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -2,11 +2,37 @@ # RBAC for the GitHub Actions CI runner to perform E2E test setup. # CI-only test fixture — NOT for production use. # -# Grants the ARC runner service account permissions in kube-system to: -# - Create/manage PVCs (shared plugin volume) -# - Run temporary pods (plugin deploy helper) -# - Manage Helm release resources (secrets, configmaps, services) -# - Restart deployments (Headlamp rollout after plugin deploy) +# The Headlamp Helm chart manages cluster-scoped resources (ClusterRole, +# ClusterRoleBinding). The CI runner SA needs cluster-level read/write on +# these resources for `helm upgrade` to succeed, plus namespace-scoped +# permissions in kube-system for PVCs, pods, Helm secrets, etc. +# +# Apply with: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml + +# --- Cluster-scoped permissions (for Headlamp Helm chart resources) --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: e2e-ci-runner +rules: + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "clusterrolebindings"] + verbs: ["get", "list", "create", "update", "patch", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: e2e-ci-runner-binding +subjects: + - kind: ServiceAccount + name: local-ubuntu-latest-gha-rs-no-permission + namespace: arc-runners +roleRef: + kind: ClusterRole + name: e2e-ci-runner + apiGroup: rbac.authorization.k8s.io +--- +# --- Namespace-scoped permissions (kube-system) --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: