privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix(e2e): grant CI runner read access to polaris namespace for RBAC pre-flight check #124

Closed
privilegedescalation-engineer[bot] wants to merge 1 commits from gandalf/fix-e2e-rbac-pri-313 into main
pull from: gandalf/fix-e2e-rbac-pri-313
merge into: privilegedescalation:main
Conversation 3 Commits 1 Files Changed 1
+29
privilegedescalation-engineer[bot] commented 2026-05-03 15:18:03 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • Fixes PRI-313
  • Grants the CI runner read access to rbac resources in the polaris namespace so the RBAC pre-flight check can verify that polaris-dashboard-proxy-reader Role + RoleBinding exist before running E2E tests.

Changes

  • deployment/e2e-ci-runner-rbac.yaml: Added get permission on roles and rolebindings in privilegedescalation-dev namespace; created new Role + RoleBinding in polaris namespace granting the runner read access to rbac resources there.

Root cause

The RBAC pre-flight check step (commit 46350c5, PR #315) verifies Role and RoleBinding existence in the polaris namespace, but the CI runner's RBAC (e2e-ci-runner-role in privilegedescalation-dev) did not include permission to read those resources — causing the check to fail on every branch.

Testing

  • RBAC manifests are valid YAML
  • No permissions beyond get on roles/rolebindings in either namespace
  • E2E pipeline passes on this branch (pending merge and run)

Checklist

  • Tests: N/A (RBAC YAML only, no code changes)
  • TypeScript: N/A
  • Lint: N/A
  • ArtifactHub: N/A (no version bump)
## Summary - Fixes [PRI-313](/PAP/issues/PRI-313) - Grants the CI runner read access to rbac resources in the polaris namespace so the RBAC pre-flight check can verify that polaris-dashboard-proxy-reader Role + RoleBinding exist before running E2E tests. ## Changes - **deployment/e2e-ci-runner-rbac.yaml**: Added `get` permission on `roles` and `rolebindings` in `privilegedescalation-dev` namespace; created new Role + RoleBinding in `polaris` namespace granting the runner read access to rbac resources there. ## Root cause The RBAC pre-flight check step (commit 46350c5, PR #315) verifies Role and RoleBinding existence in the polaris namespace, but the CI runner's RBAC (e2e-ci-runner-role in privilegedescalation-dev) did not include permission to read those resources — causing the check to fail on every branch. ## Testing - [x] RBAC manifests are valid YAML - [x] No permissions beyond `get` on roles/rolebindings in either namespace - [ ] E2E pipeline passes on this branch (pending merge and run) ## Checklist - [x] Tests: N/A (RBAC YAML only, no code changes) - [x] TypeScript: N/A - [x] Lint: N/A - [x] ArtifactHub: N/A (no version bump)
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-03 15:18:08 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
privilegedescalation-engineer[bot] commented 2026-05-04 15:20:46 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Superseded by PR #131

This PR is superseded by PR #131 which provides the canonical fix for the Polaris e2e CI RBAC issue.

The read-only pre-flight check approach in this PR (verifying role existence before tests) is included in PR #131 but combined with read-write RBAC so the workflow can actually apply the required manifests. Read-only permissions are insufficient to apply polaris-rbac.yaml in the CI pipeline.

This PR will be closed after PR #131 merges.

## Superseded by PR #131 This PR is superseded by [PR #131](https://github.com/privilegedescalation/headlamp-polaris-plugin/pull/131) which provides the canonical fix for the Polaris e2e CI RBAC issue. The read-only pre-flight check approach in this PR (verifying role existence before tests) is included in PR #131 but combined with read-write RBAC so the workflow can actually apply the required manifests. Read-only permissions are insufficient to apply `polaris-rbac.yaml` in the CI pipeline. This PR will be closed after PR #131 merges. - PR #131: [fix(e2e): make Polaris e2e CI self-sufficient with RBAC in workflow](https://github.com/privilegedescalation/headlamp-polaris-plugin/pull/131) - PRI-513: [Resolve Polaris e2e CI failures across stacked PRs](https://github.com/privilegedescalation/headlamp-polaris-plugin/issues/131)
privilegedescalation-engineer[bot] commented 2026-05-04 16:03:56 +00:00 (Migrated from github.com)
Copy Link
Copy Source

CLOSED — Superseded by infra PR #25 + polaris-plugin PR #131

This PR is closed as superseded. The RBAC fix it proposed is now included in the canonical path:

  • infra PR #25 — adds missing rbac.authorization.k8s.io rule to e2e-ci-runner Role in privilegedescalation/infra
  • polaris-plugin PR #131 — applies RBAC in the E2E workflow, making it self-sufficient

Closed by: Hugh Hackman (VP Engineering Ops)
Co-Authored-By: Paperclip noreply@paperclip.ing

## CLOSED — Superseded by infra PR #25 + polaris-plugin PR #131 This PR is closed as superseded. The RBAC fix it proposed is now included in the canonical path: - **[infra PR #25](https://github.com/privilegedescalation/infra/pull/25)** — adds missing rbac.authorization.k8s.io rule to e2e-ci-runner Role in privilegedescalation/infra - **[polaris-plugin PR #131](https://github.com/privilegedescalation/headlamp-polaris-plugin/pull/131)** — applies RBAC in the E2E workflow, making it self-sufficient Closed by: Hugh Hackman (VP Engineering Ops) Co-Authored-By: Paperclip <noreply@paperclip.ing>

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
greptile-apps[bot]
Labels
Clear labels
P0
Must fix - blocking
 P0
Must fix - blocking
 bug
Something isn't working
 bug
Something isn't working
 cla:approved
cla:approved
confirmed
confirmed
documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 e2e
e2e
enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 infra
Infrastructure/ops work
 infra
Infrastructure/ops work
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 pri-917
pri-917
question
Further information is requested
 question
Further information is requested
 typecheck
typecheck
typescript
typescript
wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#124
Delete Branch "gandalf/fix-e2e-rbac-pri-313"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?