chore: add RBAC manifest for E2E CI runner

Documents the Role and RoleBinding applied to the cluster for the ARC runner service account. Grants permissions in kube-system needed for shared volume plugin deployment (PVCs, pods, Helm resources). Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-17 12:18:36 +00:00
parent d4af8c035f
commit e9f3fdc971
1 changed files with 53 additions and 0 deletions
@@ -0,0 +1,53 @@
+---
+# RBAC for the GitHub Actions CI runner to perform E2E test setup.
+# CI-only test fixture — NOT for production use.
+#
+# Grants the ARC runner service account permissions in kube-system to:
+# - Create/manage PVCs (shared plugin volume)
+# - Run temporary pods (plugin deploy helper)
+# - Manage Helm release resources (secrets, configmaps, services)
+# - Restart deployments (Headlamp rollout after plugin deploy)
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "create", "delete", "watch"]
+  - apiGroups: [""]
+    resources: ["pods/attach"]
+    verbs: ["create", "get"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "patch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-binding
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: local-ubuntu-latest-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner
+  apiGroup: rbac.authorization.k8s.io