privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

infra: add RBAC for E2E runner Headlamp deploy #53

Closed
ghost wants to merge 1 commits from infra/e2e-runner-rbac into main
pull from: infra/e2e-runner-rbac
merge into: privilegedescalation:main
Conversation 2 Commits 1 Files Changed 1
+35
ghost commented 2026-03-16 09:19:35 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • Adds a Role + RoleBinding manifest that grants the self-hosted GitHub Actions runner SA (local-ubuntu-latest-gha-rs-no-permission in arc-runners) permission to list/get pods and exec into pods in kube-system
  • Required for the E2E deploy-plugin-to-headlamp.sh script to work in CI
  • A cluster admin must kubectl apply this manifest to unblock E2E

Context

After pushing the kubectl setup fix (commit 57f3a59), the E2E workflow now passes kubectl install and kubeconfig setup, but fails at the deploy step with:

pods is forbidden: User "system:serviceaccount:arc-runners:local-ubuntu-latest-gha-rs-no-permission"
cannot list resource "pods" in API group "" in the namespace "kube-system"

Test plan

  • Cluster admin applies kubectl apply -f deployment/e2e-runner-rbac.yaml
  • Re-run E2E workflow on PR #52 — deploy step should pass
  • Verify Playwright tests can run against freshly-deployed plugin

🤖 Generated with Claude Code

## Summary - Adds a Role + RoleBinding manifest that grants the self-hosted GitHub Actions runner SA (`local-ubuntu-latest-gha-rs-no-permission` in `arc-runners`) permission to list/get pods and exec into pods in `kube-system` - Required for the E2E deploy-plugin-to-headlamp.sh script to work in CI - A cluster admin must `kubectl apply` this manifest to unblock E2E ## Context After pushing the kubectl setup fix (commit `57f3a59`), the E2E workflow now passes kubectl install and kubeconfig setup, but fails at the deploy step with: ``` pods is forbidden: User "system:serviceaccount:arc-runners:local-ubuntu-latest-gha-rs-no-permission" cannot list resource "pods" in API group "" in the namespace "kube-system" ``` ## Test plan - [ ] Cluster admin applies `kubectl apply -f deployment/e2e-runner-rbac.yaml` - [ ] Re-run E2E workflow on PR #52 — deploy step should pass - [ ] Verify Playwright tests can run against freshly-deployed plugin 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Chris Farhood approved these changes 2026-03-16 10:13:18 +00:00
Chris Farhood left a comment
Copy Link
Copy Source

RBAC looks correct — minimal permissions scoped to kube-system only:

  • pods list/get to find the Headlamp pod
  • pods/exec create to copy plugin files

SA name matches the error from the E2E logs. Once a cluster admin applies this, both PR #52 and #53 E2E should pass.

RBAC looks correct — minimal permissions scoped to `kube-system` only: - `pods` list/get to find the Headlamp pod - `pods/exec` create to copy plugin files SA name matches the error from the E2E logs. Once a cluster admin applies this, both PR #52 and #53 E2E should pass.
ghost commented 2026-03-16 10:56:19 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Closing — superseded by PR #54 (ConfigMap + init container deploy pattern). The RBAC manifest from this PR is no longer needed with the ConfigMap approach.

Closing — superseded by PR #54 (ConfigMap + init container deploy pattern). The RBAC manifest from this PR is no longer needed with the ConfigMap approach.

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No Reviewers
Chris Farhood
Labels
Clear labels
P0
Must fix - blocking
 P0
Must fix - blocking
 bug
Something isn't working
 bug
Something isn't working
 cla:approved
cla:approved
confirmed
confirmed
documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 e2e
e2e
enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 infra
Infrastructure/ops work
 infra
Infrastructure/ops work
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 pri-917
pri-917
question
Further information is requested
 question
Further information is requested
 typecheck
typecheck
typescript
typescript
wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#53
Delete Branch "infra/e2e-runner-rbac"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?