privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

Compare commits

merge into: privilegedescalation/headlamp-polaris-plugin:dev
Branches Tags
privilegedescalation/headlamp-polaris-plugin:main privilegedescalation/headlamp-polaris-plugin:gandalf/fix-echo-printf-pri-1757 privilegedescalation/headlamp-polaris-plugin:pri-1737-inline-release privilegedescalation/headlamp-polaris-plugin:gandalf/cleanup-agent-artifacts privilegedescalation/headlamp-polaris-plugin:dev privilegedescalation/headlamp-polaris-plugin:gandalf/cleanup-root-artifacts privilegedescalation/headlamp-polaris-plugin:uat privilegedescalation/headlamp-polaris-plugin:promote/uat-artifacthub-v1.0.1 privilegedescalation/headlamp-polaris-plugin:gandalf/fix-promotion-gate-ci privilegedescalation/headlamp-polaris-plugin:pri-1681-update-artifacthub-1.0.1 privilegedescalation/headlamp-polaris-plugin:fix/release-tarball-pattern privilegedescalation/headlamp-polaris-plugin:gandalf/pri-1671-pnpm-install privilegedescalation/headlamp-polaris-plugin:nancy/fix-dual-approval-uat-regress privilegedescalation/headlamp-polaris-plugin:gandalf/pri-1659-inline-release-workflow privilegedescalation/headlamp-polaris-plugin:gandalf/pri-1636-inline-dual-approval privilegedescalation/headlamp-polaris-plugin:inline-ci-2adb87e5 privilegedescalation/headlamp-polaris-plugin:gandalf/fix-polaris-ah-url privilegedescalation/headlamp-polaris-plugin:docs/update-headlamp-namespace privilegedescalation/headlamp-polaris-plugin:hugh/fix-stale-rbac-path-pri-1002 privilegedescalation/headlamp-polaris-plugin:gandalf/remove-orphaned-polaris-rbac-pri-917 privilegedescalation/headlamp-polaris-plugin:gandalf/reference-shared-infra-rbac-pri-750 privilegedescalation/headlamp-polaris-plugin:hugh/update-rbac-to-shared-infra privilegedescalation/headlamp-polaris-plugin:gandalf/add-renovate-github-action privilegedescalation/headlamp-polaris-plugin:pr-142 privilegedescalation/headlamp-polaris-plugin:gandalf/fix-rbac-workflow-pri-324 privilegedescalation/headlamp-polaris-plugin:gandalf/rename-ns-headlamp-dev privilegedescalation/headlamp-polaris-plugin:gandalf/remove-privilegedescalation-dev-namespace privilegedescalation/headlamp-polaris-plugin:pr-132-fix privilegedescalation/headlamp-polaris-plugin:gandalf/fix-rbac-manifest-PRI-555 privilegedescalation/headlamp-polaris-plugin:chore/scrub-dependabot-references privilegedescalation/headlamp-polaris-plugin:gandalf/fix-markdown-lint-pri-391 privilegedescalation/headlamp-polaris-plugin:gandalf/fix-e2e-rbac-pri-313 privilegedescalation/headlamp-polaris-plugin:gandalf/fix-e2e-polaris-rbac privilegedescalation/headlamp-polaris-plugin:gandalf/fix-lodash-lockfile privilegedescalation/headlamp-polaris-plugin:fix/e2e-concurrency-serialization
privilegedescalation/headlamp-polaris-plugin:v1.0.1 privilegedescalation/headlamp-polaris-plugin:v1.0.0 privilegedescalation/headlamp-polaris-plugin:v0.7.2 privilegedescalation/headlamp-polaris-plugin:v0.7.1 privilegedescalation/headlamp-polaris-plugin:v0.7.0 privilegedescalation/headlamp-polaris-plugin:v0.6.0 privilegedescalation/headlamp-polaris-plugin:v0.5.2 privilegedescalation/headlamp-polaris-plugin:v0.5.1 privilegedescalation/headlamp-polaris-plugin:v0.5.0 privilegedescalation/headlamp-polaris-plugin:v0.4.1 privilegedescalation/headlamp-polaris-plugin:v0.4.0 privilegedescalation/headlamp-polaris-plugin:v0.3.12 privilegedescalation/headlamp-polaris-plugin:v0.3.11 privilegedescalation/headlamp-polaris-plugin:v0.3.10 privilegedescalation/headlamp-polaris-plugin:v0.3.9 privilegedescalation/headlamp-polaris-plugin:v0.3.8 privilegedescalation/headlamp-polaris-plugin:v0.3.5 privilegedescalation/headlamp-polaris-plugin:v0.3.4 privilegedescalation/headlamp-polaris-plugin:v0.3.3 privilegedescalation/headlamp-polaris-plugin:v0.3.2 privilegedescalation/headlamp-polaris-plugin:v0.3.1 privilegedescalation/headlamp-polaris-plugin:v0.3.0 privilegedescalation/headlamp-polaris-plugin:v0.2.5 privilegedescalation/headlamp-polaris-plugin:v0.2.4 privilegedescalation/headlamp-polaris-plugin:v0.2.3 privilegedescalation/headlamp-polaris-plugin:v0.2.2 privilegedescalation/headlamp-polaris-plugin:v0.2.1 privilegedescalation/headlamp-polaris-plugin:v0.2.0 privilegedescalation/headlamp-polaris-plugin:v0.1.7 privilegedescalation/headlamp-polaris-plugin:v0.2.0-dev.5 privilegedescalation/headlamp-polaris-plugin:v0.2.0-dev.4 privilegedescalation/headlamp-polaris-plugin:v0.2.0-dev.3 privilegedescalation/headlamp-polaris-plugin:v0.2.0-dev.2 privilegedescalation/headlamp-polaris-plugin:v0.2.0-dev.1 privilegedescalation/headlamp-polaris-plugin:v0.1.6 privilegedescalation/headlamp-polaris-plugin:v0.1.5 privilegedescalation/headlamp-polaris-plugin:v0.1.4 privilegedescalation/headlamp-polaris-plugin:v0.1.3 privilegedescalation/headlamp-polaris-plugin:v0.1.2 privilegedescalation/headlamp-polaris-plugin:v0.1.1 privilegedescalation/headlamp-polaris-plugin:v0.1.0 privilegedescalation/headlamp-polaris-plugin:v0.0.10 privilegedescalation/headlamp-polaris-plugin:v0.0.9 privilegedescalation/headlamp-polaris-plugin:v0.0.8 privilegedescalation/headlamp-polaris-plugin:v0.0.7 privilegedescalation/headlamp-polaris-plugin:v0.0.6 privilegedescalation/headlamp-polaris-plugin:v0.0.5 privilegedescalation/headlamp-polaris-plugin:v0.0.4 privilegedescalation/headlamp-polaris-plugin:v0.0.3 privilegedescalation/headlamp-polaris-plugin:v0.0.2 privilegedescalation/headlamp-polaris-plugin:v0.0.1
...
pull from: privilegedescalation/headlamp-polaris-plugin:gandalf/fix-e2e-rbac-pri-313
Branches Tags
privilegedescalation/headlamp-polaris-plugin:gandalf/fix-echo-printf-pri-1757 privilegedescalation/headlamp-polaris-plugin:main privilegedescalation/headlamp-polaris-plugin:pri-1737-inline-release privilegedescalation/headlamp-polaris-plugin:gandalf/cleanup-agent-artifacts privilegedescalation/headlamp-polaris-plugin:dev privilegedescalation/headlamp-polaris-plugin:gandalf/cleanup-root-artifacts privilegedescalation/headlamp-polaris-plugin:uat privilegedescalation/headlamp-polaris-plugin:promote/uat-artifacthub-v1.0.1 privilegedescalation/headlamp-polaris-plugin:gandalf/fix-promotion-gate-ci privilegedescalation/headlamp-polaris-plugin:pri-1681-update-artifacthub-1.0.1 privilegedescalation/headlamp-polaris-plugin:fix/release-tarball-pattern privilegedescalation/headlamp-polaris-plugin:gandalf/pri-1671-pnpm-install privilegedescalation/headlamp-polaris-plugin:nancy/fix-dual-approval-uat-regress privilegedescalation/headlamp-polaris-plugin:gandalf/pri-1659-inline-release-workflow privilegedescalation/headlamp-polaris-plugin:gandalf/pri-1636-inline-dual-approval privilegedescalation/headlamp-polaris-plugin:inline-ci-2adb87e5 privilegedescalation/headlamp-polaris-plugin:gandalf/fix-polaris-ah-url privilegedescalation/headlamp-polaris-plugin:docs/update-headlamp-namespace privilegedescalation/headlamp-polaris-plugin:hugh/fix-stale-rbac-path-pri-1002 privilegedescalation/headlamp-polaris-plugin:gandalf/remove-orphaned-polaris-rbac-pri-917 privilegedescalation/headlamp-polaris-plugin:gandalf/reference-shared-infra-rbac-pri-750 privilegedescalation/headlamp-polaris-plugin:hugh/update-rbac-to-shared-infra privilegedescalation/headlamp-polaris-plugin:gandalf/add-renovate-github-action privilegedescalation/headlamp-polaris-plugin:pr-142 privilegedescalation/headlamp-polaris-plugin:gandalf/fix-rbac-workflow-pri-324 privilegedescalation/headlamp-polaris-plugin:gandalf/rename-ns-headlamp-dev privilegedescalation/headlamp-polaris-plugin:gandalf/remove-privilegedescalation-dev-namespace privilegedescalation/headlamp-polaris-plugin:pr-132-fix privilegedescalation/headlamp-polaris-plugin:gandalf/fix-rbac-manifest-PRI-555 privilegedescalation/headlamp-polaris-plugin:chore/scrub-dependabot-references privilegedescalation/headlamp-polaris-plugin:gandalf/fix-markdown-lint-pri-391 privilegedescalation/headlamp-polaris-plugin:gandalf/fix-e2e-rbac-pri-313 privilegedescalation/headlamp-polaris-plugin:gandalf/fix-e2e-polaris-rbac privilegedescalation/headlamp-polaris-plugin:gandalf/fix-lodash-lockfile privilegedescalation/headlamp-polaris-plugin:fix/e2e-concurrency-serialization
privilegedescalation/headlamp-polaris-plugin:v1.0.1 privilegedescalation/headlamp-polaris-plugin:v1.0.0 privilegedescalation/headlamp-polaris-plugin:v0.7.2 privilegedescalation/headlamp-polaris-plugin:v0.7.1 privilegedescalation/headlamp-polaris-plugin:v0.7.0 privilegedescalation/headlamp-polaris-plugin:v0.6.0 privilegedescalation/headlamp-polaris-plugin:v0.5.2 privilegedescalation/headlamp-polaris-plugin:v0.5.1 privilegedescalation/headlamp-polaris-plugin:v0.5.0 privilegedescalation/headlamp-polaris-plugin:v0.4.1 privilegedescalation/headlamp-polaris-plugin:v0.4.0 privilegedescalation/headlamp-polaris-plugin:v0.3.12 privilegedescalation/headlamp-polaris-plugin:v0.3.11 privilegedescalation/headlamp-polaris-plugin:v0.3.10 privilegedescalation/headlamp-polaris-plugin:v0.3.9 privilegedescalation/headlamp-polaris-plugin:v0.3.8 privilegedescalation/headlamp-polaris-plugin:v0.3.5 privilegedescalation/headlamp-polaris-plugin:v0.3.4 privilegedescalation/headlamp-polaris-plugin:v0.3.3 privilegedescalation/headlamp-polaris-plugin:v0.3.2 privilegedescalation/headlamp-polaris-plugin:v0.3.1 privilegedescalation/headlamp-polaris-plugin:v0.3.0 privilegedescalation/headlamp-polaris-plugin:v0.2.5 privilegedescalation/headlamp-polaris-plugin:v0.2.4 privilegedescalation/headlamp-polaris-plugin:v0.2.3 privilegedescalation/headlamp-polaris-plugin:v0.2.2 privilegedescalation/headlamp-polaris-plugin:v0.2.1 privilegedescalation/headlamp-polaris-plugin:v0.2.0 privilegedescalation/headlamp-polaris-plugin:v0.1.7 privilegedescalation/headlamp-polaris-plugin:v0.2.0-dev.5 privilegedescalation/headlamp-polaris-plugin:v0.2.0-dev.4 privilegedescalation/headlamp-polaris-plugin:v0.2.0-dev.3 privilegedescalation/headlamp-polaris-plugin:v0.2.0-dev.2 privilegedescalation/headlamp-polaris-plugin:v0.2.0-dev.1 privilegedescalation/headlamp-polaris-plugin:v0.1.6 privilegedescalation/headlamp-polaris-plugin:v0.1.5 privilegedescalation/headlamp-polaris-plugin:v0.1.4 privilegedescalation/headlamp-polaris-plugin:v0.1.3 privilegedescalation/headlamp-polaris-plugin:v0.1.2 privilegedescalation/headlamp-polaris-plugin:v0.1.1 privilegedescalation/headlamp-polaris-plugin:v0.1.0 privilegedescalation/headlamp-polaris-plugin:v0.0.10 privilegedescalation/headlamp-polaris-plugin:v0.0.9 privilegedescalation/headlamp-polaris-plugin:v0.0.8 privilegedescalation/headlamp-polaris-plugin:v0.0.7 privilegedescalation/headlamp-polaris-plugin:v0.0.6 privilegedescalation/headlamp-polaris-plugin:v0.0.5 privilegedescalation/headlamp-polaris-plugin:v0.0.4 privilegedescalation/headlamp-polaris-plugin:v0.0.3 privilegedescalation/headlamp-polaris-plugin:v0.0.2 privilegedescalation/headlamp-polaris-plugin:v0.0.1

1 Commits
dev ... gandalf/fix-e2e-rbac-pri-313

Author SHA1 Message Date
Chris Farhood a65743dea3 fix(e2e): grant CI runner read access to polaris namespace for RBAC pre-flight check 
The RBAC pre-flight check workflow step (commit 46350c5) verifies that
polaris-dashboard-proxy-reader Role and RoleBinding exist in the polaris
namespace before running E2E tests. However, the CI runner's RBAC
(e2e-ci-runner-role in privilegedescalation-dev) did not include
permission to read roles/rolebindings in the polaris namespace, causing
the pre-flight check to fail with a generic kubectl error on all branches.

Fix: add rules to e2e-ci-runner-role allowing get on roles/rolebindings in
privilegedescalation-dev (for the pre-flight check itself), plus a new
Role + RoleBinding in the polaris namespace granting the runner read
access to rbac resources there.

Without this fix, the pre-flight check exits 1 on every branch until someone
SSHs into the runner pod and manually applies the polaris RBAC manifest —
which they shouldn't need to do.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-03 15:13:03 +00:00
1 changed files with 29 additions and 0 deletions
Expand all files Collapse all files
deployment/e2e-ci-runner-rbac.yaml
+29
View File
@@ -30,6 +30,35 @@ rules:
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
# RBAC pre-flight check: verify polaris namespace has proxy-reader Role + RoleBinding
# before running E2E tests. Required by the "RBAC pre-flight check" workflow step.
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner-polaris-reader
namespace: polaris
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-polaris-reader-binding
namespace: polaris
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner-polaris-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding