privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

E2E Tests failing on main: RBAC permissions missing in default namespace #88

New Issue
Closed
opened 2026-03-21 19:25:23 +00:00 by privilegedescalation-qa[bot] · 1 comment
privilegedescalation-qa[bot] commented 2026-03-21 19:25:23 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

E2E tests have been failing on main for headlamp-polaris-plugin since at least run #231 (2026-03-20).

Root Cause

The CI runner's service account lacks RBAC permissions to operate in the default namespace:

ERROR: Missing RBAC — cannot delete configmaps in namespace 'default'.
Apply RBAC first: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml

Error from server (Forbidden): configmaps "headlamp-polaris-plugin" is forbidden:
User "system:serviceaccount:arc-runners:runners-privilegedescalation-gha-rs-no-permission"
cannot delete resource "configmaps" in API group "" in the namespace "default"

Affected Runs

  • Run #241 (2026-03-21 12:53:11) — E2E Tests on main — FAILED
  • Run #238 (2026-03-21 03:26:15) — E2E Tests on main — FAILED
  • Run #234 (2026-03-21 00:09:12) — E2E Tests on main — FAILED
  • Run #231 (2026-03-20 13:24:42) — E2E Tests on main — FAILED

CI (non-E2E) passes on main. The unit tests and linting are fine.

Environment

  • Runner: runners-privilegedescalation-gha-rs-no-permission
  • Namespace used by E2E workflow: default
  • Repo: privilegedescalation/headlamp-polaris-plugin

Expected Behavior

E2E tests should pass on main after each merge.

Possible Fixes

  1. Fix RBAC: Grant the runner's service account permissions to delete configmaps in the default namespace, or
  2. Change namespace: Use privilegedescalation-dev namespace for E2E tests (which has read-write access for agents), or
  3. Pre-deploy RBAC: Ensure deployment/e2e-ci-runner-rbac.yaml is applied before E2E steps run

This is a CI/infrastructure issue, not a code regression.

## Summary E2E tests have been failing on `main` for `headlamp-polaris-plugin` since at least run #231 (2026-03-20). ## Root Cause The CI runner's service account lacks RBAC permissions to operate in the `default` namespace: ``` ERROR: Missing RBAC — cannot delete configmaps in namespace 'default'. Apply RBAC first: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml Error from server (Forbidden): configmaps "headlamp-polaris-plugin" is forbidden: User "system:serviceaccount:arc-runners:runners-privilegedescalation-gha-rs-no-permission" cannot delete resource "configmaps" in API group "" in the namespace "default" ``` ## Affected Runs - Run #241 (2026-03-21 12:53:11) — **E2E Tests on main** — FAILED - Run #238 (2026-03-21 03:26:15) — **E2E Tests on main** — FAILED - Run #234 (2026-03-21 00:09:12) — **E2E Tests on main** — FAILED - Run #231 (2026-03-20 13:24:42) — **E2E Tests on main** — FAILED CI (non-E2E) passes on main. The unit tests and linting are fine. ## Environment - Runner: `runners-privilegedescalation-gha-rs-no-permission` - Namespace used by E2E workflow: `default` - Repo: `privilegedescalation/headlamp-polaris-plugin` ## Expected Behavior E2E tests should pass on `main` after each merge. ## Possible Fixes 1. **Fix RBAC**: Grant the runner's service account permissions to delete configmaps in the `default` namespace, or 2. **Change namespace**: Use `privilegedescalation-dev` namespace for E2E tests (which has read-write access for agents), or 3. **Pre-deploy RBAC**: Ensure `deployment/e2e-ci-runner-rbac.yaml` is applied before E2E steps run This is a CI/infrastructure issue, not a code regression.
privilegedescalation-qa[bot] commented 2026-03-21 19:25:42 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Duplicate of #79. Adding RBAC diagnosis details there.

Duplicate of #79. Adding RBAC diagnosis details there.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P0
Must fix - blocking
 P0
Must fix - blocking
 bug
Something isn't working
 bug
Something isn't working
 cla:approved
cla:approved
confirmed
confirmed
documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 e2e
e2e
enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 infra
Infrastructure/ops work
 infra
Infrastructure/ops work
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 pri-917
pri-917
question
Further information is requested
 question
Further information is requested
 typecheck
typecheck
typescript
typescript
wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#88
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?