privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix(e2e): grant cross-namespace RBAC for Polaris dashboard proxy access #122

Closed
privilegedescalation-engineer[bot] wants to merge 1 commits from gandalf/fix-e2e-polaris-rbac into main
pull from: gandalf/fix-e2e-polaris-rbac
merge into: privilegedescalation:main
Conversation 4 Commits 1 Files Changed 2
+34
privilegedescalation-engineer[bot] commented 2026-04-27 01:16:26 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • Add cross-namespace RBAC (polaris namespace) so E2E Headlamp can proxy to Polaris dashboard service
  • Add pre-flight warning in deploy-e2e-headlamp.sh when Polaris proxy RBAC is missing

Root Cause

E2E tests consistently fail with Polaris dashboard not reachable because the in-cluster Headlamp (ServiceAccount headlamp-e2e-test in privilegedescalation-dev) lacks permission to proxy to polaris-dashboard in the polaris namespace. The error manifests as a 503 from the Kubernetes API proxy.

Changes

  • deployment/e2e-ci-runner-rbac.yaml: New Role + RoleBinding for polaris namespace granting get+proxy on polaris-dashboard
  • scripts/deploy-e2e-headlamp.sh: Pre-flight check warns if Polaris proxy RBAC is missing

Testing

  • CI E2E run on this branch will validate the fix; must apply RBAC to cluster first

cc @cpfarhood

## Summary - Add cross-namespace RBAC (polaris namespace) so E2E Headlamp can proxy to Polaris dashboard service - Add pre-flight warning in deploy-e2e-headlamp.sh when Polaris proxy RBAC is missing ## Root Cause E2E tests consistently fail with `Polaris dashboard not reachable` because the in-cluster Headlamp (ServiceAccount `headlamp-e2e-test` in `privilegedescalation-dev`) lacks permission to proxy to `polaris-dashboard` in the `polaris` namespace. The error manifests as a 503 from the Kubernetes API proxy. ## Changes - `deployment/e2e-ci-runner-rbac.yaml`: New Role + RoleBinding for polaris namespace granting get+proxy on polaris-dashboard - `scripts/deploy-e2e-headlamp.sh`: Pre-flight check warns if Polaris proxy RBAC is missing ## Testing - CI E2E run on this branch will validate the fix; must apply RBAC to cluster first cc @cpfarhood
👍 1
greptile-apps[bot] commented 2026-04-27 01:18:19 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Greptile Summary

This PR adds a cross-namespace Role + RoleBinding in the polaris namespace and a pre-flight warning in deploy-e2e-headlamp.sh to fix E2E failures caused by missing proxy permissions to polaris-dashboard. Both changes target the wrong identity, so the root-cause fix will not land.

  • RBAC bound to wrong SA: The new RoleBinding grants services/proxy access to runners-privilegedescalation-gha-rs-no-permission (the GHA CI runner), but it is the in-cluster Headlamp pod — running as headlamp-e2e in privilegedescalation-dev — that makes the proxy request. The SA causing the 503 is still unpermissioned after this change.
  • Pre-flight check tests wrong principal: kubectl auth can-i without --as verifies the CI runner's own permissions (which now pass), not the Headlamp SA's, so the warning will never fire even when the underlying issue persists.

Confidence Score: 4/5

Safe to merge from a security standpoint, but will not fix the reported E2E failure — both changes target the GHA runner SA instead of the Headlamp pod SA.

Two P1 findings: the RoleBinding subjects and the pre-flight impersonation check both reference the CI runner identity rather than the Headlamp in-cluster SA. The net result is that the 503 / Polaris dashboard not reachable failure will persist after this PR lands.

deployment/e2e-ci-runner-rbac.yaml (wrong subjects) and scripts/deploy-e2e-headlamp.sh (missing --as flag).

Important Files Changed
Filename Overview
deployment/e2e-ci-runner-rbac.yaml Adds a Role + RoleBinding in the polaris namespace, but the RoleBinding subjects target the CI runner SA (arc-runners/runners-privilegedescalation-gha-rs-no-permission) instead of the in-cluster Headlamp SA (privilegedescalation-dev/headlamp-e2e), so the proxy permission will not reach the component that actually needs it.
scripts/deploy-e2e-headlamp.sh Adds a pre-flight RBAC warning for Polaris proxy access, but the kubectl auth can-i check verifies the CI runner's own identity rather than the Headlamp SA's identity, making the warning ineffective at detecting the actual misconfiguration.

Sequence Diagram

 
sequenceDiagram
    participant GHA as GHA CI Runner<br/>(arc-runners SA)
    participant Script as deploy-e2e-headlamp.sh
    participant K8s as Kubernetes API
    participant Headlamp as Headlamp Pod<br/>(headlamp-e2e SA)
    participant Polaris as polaris-dashboard<br/>(polaris ns)

    GHA->>Script: execute
    Script->>K8s: kubectl auth can-i get services/proxy -n polaris
    Note over K8s: Checks GHA CI runner identity<br/>(now has permission via new RoleBinding)
    K8s-->>Script: yes ✓ (but wrong identity checked)
    Script->>K8s: deploy Headlamp pod (SA: headlamp-e2e)

    Note over Headlamp,Polaris: E2E test runs
    Headlamp->>K8s: proxy GET /api/v1/namespaces/polaris/services/polaris-dashboard/proxy/...
    Note over K8s: Checks headlamp-e2e SA<br/>(no RoleBinding for this SA → 403/503)
    K8s-->>Headlamp: 403 Forbidden
    Headlamp-->>GHA: ❌ Polaris dashboard not reachable
Prompt To Fix All With AI 
This is a comment left during a code review.
Path: deployment/e2e-ci-runner-rbac.yaml
Line: 62-73

Comment:
**Wrong ServiceAccount bound — fix won't resolve the root cause**

The new `RoleBinding` in the `polaris` namespace binds `runners-privilegedescalation-gha-rs-no-permission` in `arc-runners` — the GHA CI runner — but the PR description identifies the actual failing identity as the in-cluster Headlamp pod, which runs as the `headlamp-e2e` ServiceAccount in `privilegedescalation-dev`. The CI runner never makes proxy calls to `polaris-dashboard`; the Headlamp pod does. Granting the CI runner SA this permission will not fix the `503 / Polaris dashboard not reachable` E2E failure.

The `subjects` block should reference the Headlamp SA instead:

```yaml
subjects:
  - kind: ServiceAccount
    name: headlamp-e2e          # the SA used by the Headlamp deployment (E2E_RELEASE)
    namespace: privilegedescalation-dev
```

(If multiple SAs are needed — e.g. `headlamp-e2e-test` for token auth — they can each be listed as a separate subject.)

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: scripts/deploy-e2e-headlamp.sh
Line: 42-47

Comment:
**Pre-flight check tests the CI runner's identity, not the Headlamp pod's**

`kubectl auth can-i` without `--as` checks whether the current kubectl context (the GHA CI runner) can get `services/proxy`. Since the new `RoleBinding` now grants that permission to the CI runner SA, this check will always pass — even though the Headlamp pod's SA (`headlamp-e2e` in `privilegedescalation-dev`) may still be missing the permission. The warning will never fire when it actually matters.

The check should impersonate the Headlamp service account:

```suggestion
echo "Checking RBAC for Polaris dashboard proxy access..."
if ! kubectl auth can-i get services/proxy -n polaris \
    --as="system:serviceaccount:${E2E_NAMESPACE}:${E2E_RELEASE}" --quiet 2>/dev/null; then
  echo "WARNING: Missing RBAC — cannot proxy to polaris-dashboard in namespace 'polaris'." >&2
  echo "  E2E tests that depend on Polaris data may fail." >&2
  echo "  Apply the polaris namespace RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
fi
```

This also makes the check consistent with the `E2E_RELEASE` variable already used for the Headlamp deployment's ServiceAccount name.

How can I resolve this? If you propose a fix, please make it concise.

Reviews (1): Last reviewed commit: "fix(e2e): grant cross-namespace RBAC for..." | Re-trigger Greptile

<details><summary><h3>Greptile Summary</h3></summary> This PR adds a cross-namespace `Role` + `RoleBinding` in the `polaris` namespace and a pre-flight warning in `deploy-e2e-headlamp.sh` to fix E2E failures caused by missing proxy permissions to `polaris-dashboard`. Both changes target the wrong identity, so the root-cause fix will not land. - **RBAC bound to wrong SA**: The new `RoleBinding` grants `services/proxy` access to `runners-privilegedescalation-gha-rs-no-permission` (the GHA CI runner), but it is the in-cluster Headlamp pod — running as `headlamp-e2e` in `privilegedescalation-dev` — that makes the proxy request. The SA causing the `503` is still unpermissioned after this change. - **Pre-flight check tests wrong principal**: `kubectl auth can-i` without `--as` verifies the CI runner's own permissions (which now pass), not the Headlamp SA's, so the warning will never fire even when the underlying issue persists. </details> <details><summary><h3>Confidence Score: 4/5</h3></summary> Safe to merge from a security standpoint, but will not fix the reported E2E failure — both changes target the GHA runner SA instead of the Headlamp pod SA. Two P1 findings: the RoleBinding subjects and the pre-flight impersonation check both reference the CI runner identity rather than the Headlamp in-cluster SA. The net result is that the `503 / Polaris dashboard not reachable` failure will persist after this PR lands. `deployment/e2e-ci-runner-rbac.yaml` (wrong `subjects`) and `scripts/deploy-e2e-headlamp.sh` (missing `--as` flag). </details> <details><summary><h3>Important Files Changed</h3></summary> | Filename | Overview | |----------|----------| | deployment/e2e-ci-runner-rbac.yaml | Adds a Role + RoleBinding in the `polaris` namespace, but the RoleBinding subjects target the CI runner SA (`arc-runners/runners-privilegedescalation-gha-rs-no-permission`) instead of the in-cluster Headlamp SA (`privilegedescalation-dev/headlamp-e2e`), so the proxy permission will not reach the component that actually needs it. | | scripts/deploy-e2e-headlamp.sh | Adds a pre-flight RBAC warning for Polaris proxy access, but the `kubectl auth can-i` check verifies the CI runner's own identity rather than the Headlamp SA's identity, making the warning ineffective at detecting the actual misconfiguration. | </details> </details> <details><summary><h3>Sequence Diagram</h3></summary> ```mermaid sequenceDiagram participant GHA as GHA CI Runner<br/>(arc-runners SA) participant Script as deploy-e2e-headlamp.sh participant K8s as Kubernetes API participant Headlamp as Headlamp Pod<br/>(headlamp-e2e SA) participant Polaris as polaris-dashboard<br/>(polaris ns) GHA->>Script: execute Script->>K8s: kubectl auth can-i get services/proxy -n polaris Note over K8s: Checks GHA CI runner identity<br/>(now has permission via new RoleBinding) K8s-->>Script: yes ✓ (but wrong identity checked) Script->>K8s: deploy Headlamp pod (SA: headlamp-e2e) Note over Headlamp,Polaris: E2E test runs Headlamp->>K8s: proxy GET /api/v1/namespaces/polaris/services/polaris-dashboard/proxy/... Note over K8s: Checks headlamp-e2e SA<br/>(no RoleBinding for this SA → 403/503) K8s-->>Headlamp: 403 Forbidden Headlamp-->>GHA: ❌ Polaris dashboard not reachable ``` </details> <!-- greptile_other_comments_section --> <details><summary>Prompt To Fix All With AI</summary> `````markdown This is a comment left during a code review. Path: deployment/e2e-ci-runner-rbac.yaml Line: 62-73 Comment: **Wrong ServiceAccount bound — fix won't resolve the root cause** The new `RoleBinding` in the `polaris` namespace binds `runners-privilegedescalation-gha-rs-no-permission` in `arc-runners` — the GHA CI runner — but the PR description identifies the actual failing identity as the in-cluster Headlamp pod, which runs as the `headlamp-e2e` ServiceAccount in `privilegedescalation-dev`. The CI runner never makes proxy calls to `polaris-dashboard`; the Headlamp pod does. Granting the CI runner SA this permission will not fix the `503 / Polaris dashboard not reachable` E2E failure. The `subjects` block should reference the Headlamp SA instead: ```yaml subjects: - kind: ServiceAccount name: headlamp-e2e # the SA used by the Headlamp deployment (E2E_RELEASE) namespace: privilegedescalation-dev ``` (If multiple SAs are needed — e.g. `headlamp-e2e-test` for token auth — they can each be listed as a separate subject.) How can I resolve this? If you propose a fix, please make it concise. --- This is a comment left during a code review. Path: scripts/deploy-e2e-headlamp.sh Line: 42-47 Comment: **Pre-flight check tests the CI runner's identity, not the Headlamp pod's** `kubectl auth can-i` without `--as` checks whether the current kubectl context (the GHA CI runner) can get `services/proxy`. Since the new `RoleBinding` now grants that permission to the CI runner SA, this check will always pass — even though the Headlamp pod's SA (`headlamp-e2e` in `privilegedescalation-dev`) may still be missing the permission. The warning will never fire when it actually matters. The check should impersonate the Headlamp service account: ```suggestion echo "Checking RBAC for Polaris dashboard proxy access..." if ! kubectl auth can-i get services/proxy -n polaris \ --as="system:serviceaccount:${E2E_NAMESPACE}:${E2E_RELEASE}" --quiet 2>/dev/null; then echo "WARNING: Missing RBAC — cannot proxy to polaris-dashboard in namespace 'polaris'." >&2 echo " E2E tests that depend on Polaris data may fail." >&2 echo " Apply the polaris namespace RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2 fi ``` This also makes the check consistent with the `E2E_RELEASE` variable already used for the Headlamp deployment's ServiceAccount name. How can I resolve this? If you propose a fix, please make it concise. ````` </details> <sub>Reviews (1): Last reviewed commit: ["fix(e2e): grant cross-namespace RBAC for..."](https://github.com/privilegedescalation/headlamp-polaris-plugin/commit/4826604a02c32685a2d99e4046937b9a2607b873) | [Re-trigger Greptile](https://app.greptile.com/api/retrigger?id=29789595)</sub>
greptile-apps[bot] (Migrated from github.com) reviewed 2026-04-27 01:18:25 +00:00
deployment/e2e-ci-runner-rbac.yaml
@@ -47,0 +70,4 @@
roleRef:
kind: Role
name: e2e-ci-runner
apiGroup: rbac.authorization.k8s.io
greptile-apps[bot] (Migrated from github.com) commented 2026-04-27 01:18:23 +00:00
Copy Link
Copy Source

P1 Wrong ServiceAccount bound — fix won't resolve the root cause

The new RoleBinding in the polaris namespace binds runners-privilegedescalation-gha-rs-no-permission in arc-runners — the GHA CI runner — but the PR description identifies the actual failing identity as the in-cluster Headlamp pod, which runs as the headlamp-e2e ServiceAccount in privilegedescalation-dev. The CI runner never makes proxy calls to polaris-dashboard; the Headlamp pod does. Granting the CI runner SA this permission will not fix the 503 / Polaris dashboard not reachable E2E failure.

The subjects block should reference the Headlamp SA instead:

subjects:
  - kind: ServiceAccount
    name: headlamp-e2e          # the SA used by the Headlamp deployment (E2E_RELEASE)
    namespace: privilegedescalation-dev

(If multiple SAs are needed — e.g. headlamp-e2e-test for token auth — they can each be listed as a separate subject.)

Prompt To Fix With AI 
This is a comment left during a code review.
Path: deployment/e2e-ci-runner-rbac.yaml
Line: 62-73

Comment:
**Wrong ServiceAccount bound — fix won't resolve the root cause**

The new `RoleBinding` in the `polaris` namespace binds `runners-privilegedescalation-gha-rs-no-permission` in `arc-runners` — the GHA CI runner — but the PR description identifies the actual failing identity as the in-cluster Headlamp pod, which runs as the `headlamp-e2e` ServiceAccount in `privilegedescalation-dev`. The CI runner never makes proxy calls to `polaris-dashboard`; the Headlamp pod does. Granting the CI runner SA this permission will not fix the `503 / Polaris dashboard not reachable` E2E failure.

The `subjects` block should reference the Headlamp SA instead:

```yaml
subjects:
  - kind: ServiceAccount
    name: headlamp-e2e          # the SA used by the Headlamp deployment (E2E_RELEASE)
    namespace: privilegedescalation-dev
```

(If multiple SAs are needed — e.g. `headlamp-e2e-test` for token auth — they can each be listed as a separate subject.)

How can I resolve this? If you propose a fix, please make it concise.
<a href="#"><img alt="P1" src="https://greptile-static-assets.s3.amazonaws.com/badges/p1.svg?v=7" align="top"></a> **Wrong ServiceAccount bound — fix won't resolve the root cause** The new `RoleBinding` in the `polaris` namespace binds `runners-privilegedescalation-gha-rs-no-permission` in `arc-runners` — the GHA CI runner — but the PR description identifies the actual failing identity as the in-cluster Headlamp pod, which runs as the `headlamp-e2e` ServiceAccount in `privilegedescalation-dev`. The CI runner never makes proxy calls to `polaris-dashboard`; the Headlamp pod does. Granting the CI runner SA this permission will not fix the `503 / Polaris dashboard not reachable` E2E failure. The `subjects` block should reference the Headlamp SA instead: ```yaml subjects: - kind: ServiceAccount name: headlamp-e2e # the SA used by the Headlamp deployment (E2E_RELEASE) namespace: privilegedescalation-dev ``` (If multiple SAs are needed — e.g. `headlamp-e2e-test` for token auth — they can each be listed as a separate subject.) <details><summary>Prompt To Fix With AI</summary> `````markdown This is a comment left during a code review. Path: deployment/e2e-ci-runner-rbac.yaml Line: 62-73 Comment: **Wrong ServiceAccount bound — fix won't resolve the root cause** The new `RoleBinding` in the `polaris` namespace binds `runners-privilegedescalation-gha-rs-no-permission` in `arc-runners` — the GHA CI runner — but the PR description identifies the actual failing identity as the in-cluster Headlamp pod, which runs as the `headlamp-e2e` ServiceAccount in `privilegedescalation-dev`. The CI runner never makes proxy calls to `polaris-dashboard`; the Headlamp pod does. Granting the CI runner SA this permission will not fix the `503 / Polaris dashboard not reachable` E2E failure. The `subjects` block should reference the Headlamp SA instead: ```yaml subjects: - kind: ServiceAccount name: headlamp-e2e # the SA used by the Headlamp deployment (E2E_RELEASE) namespace: privilegedescalation-dev ``` (If multiple SAs are needed — e.g. `headlamp-e2e-test` for token auth — they can each be listed as a separate subject.) How can I resolve this? If you propose a fix, please make it concise. ````` </details>
scripts/deploy-e2e-headlamp.sh
@@ -42,0 +44,4 @@
echo "WARNING: Missing RBAC — cannot proxy to polaris-dashboard in namespace 'polaris'." >&2
echo " E2E tests that depend on Polaris data may fail." >&2
echo " Apply the polaris namespace RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
fi
greptile-apps[bot] (Migrated from github.com) commented 2026-04-27 01:18:24 +00:00
Copy Link
Copy Source

P1 Pre-flight check tests the CI runner's identity, not the Headlamp pod's

kubectl auth can-i without --as checks whether the current kubectl context (the GHA CI runner) can get services/proxy. Since the new RoleBinding now grants that permission to the CI runner SA, this check will always pass — even though the Headlamp pod's SA (headlamp-e2e in privilegedescalation-dev) may still be missing the permission. The warning will never fire when it actually matters.

The check should impersonate the Headlamp service account:

echo "Checking RBAC for Polaris dashboard proxy access..."
if ! kubectl auth can-i get services/proxy -n polaris \
    --as="system:serviceaccount:${E2E_NAMESPACE}:${E2E_RELEASE}" --quiet 2>/dev/null; then
  echo "WARNING: Missing RBAC — cannot proxy to polaris-dashboard in namespace 'polaris'." >&2
  echo "  E2E tests that depend on Polaris data may fail." >&2
  echo "  Apply the polaris namespace RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
fi

This also makes the check consistent with the E2E_RELEASE variable already used for the Headlamp deployment's ServiceAccount name.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: scripts/deploy-e2e-headlamp.sh
Line: 42-47

Comment:
**Pre-flight check tests the CI runner's identity, not the Headlamp pod's**

`kubectl auth can-i` without `--as` checks whether the current kubectl context (the GHA CI runner) can get `services/proxy`. Since the new `RoleBinding` now grants that permission to the CI runner SA, this check will always pass — even though the Headlamp pod's SA (`headlamp-e2e` in `privilegedescalation-dev`) may still be missing the permission. The warning will never fire when it actually matters.

The check should impersonate the Headlamp service account:

```suggestion
echo "Checking RBAC for Polaris dashboard proxy access..."
if ! kubectl auth can-i get services/proxy -n polaris \
    --as="system:serviceaccount:${E2E_NAMESPACE}:${E2E_RELEASE}" --quiet 2>/dev/null; then
  echo "WARNING: Missing RBAC — cannot proxy to polaris-dashboard in namespace 'polaris'." >&2
  echo "  E2E tests that depend on Polaris data may fail." >&2
  echo "  Apply the polaris namespace RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
fi
```

This also makes the check consistent with the `E2E_RELEASE` variable already used for the Headlamp deployment's ServiceAccount name.

How can I resolve this? If you propose a fix, please make it concise.
<a href="#"><img alt="P1" src="https://greptile-static-assets.s3.amazonaws.com/badges/p1.svg?v=7" align="top"></a> **Pre-flight check tests the CI runner's identity, not the Headlamp pod's** `kubectl auth can-i` without `--as` checks whether the current kubectl context (the GHA CI runner) can get `services/proxy`. Since the new `RoleBinding` now grants that permission to the CI runner SA, this check will always pass — even though the Headlamp pod's SA (`headlamp-e2e` in `privilegedescalation-dev`) may still be missing the permission. The warning will never fire when it actually matters. The check should impersonate the Headlamp service account: ```suggestion echo "Checking RBAC for Polaris dashboard proxy access..." if ! kubectl auth can-i get services/proxy -n polaris \ --as="system:serviceaccount:${E2E_NAMESPACE}:${E2E_RELEASE}" --quiet 2>/dev/null; then echo "WARNING: Missing RBAC — cannot proxy to polaris-dashboard in namespace 'polaris'." >&2 echo " E2E tests that depend on Polaris data may fail." >&2 echo " Apply the polaris namespace RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2 fi ``` This also makes the check consistent with the `E2E_RELEASE` variable already used for the Headlamp deployment's ServiceAccount name. <details><summary>Prompt To Fix With AI</summary> `````markdown This is a comment left during a code review. Path: scripts/deploy-e2e-headlamp.sh Line: 42-47 Comment: **Pre-flight check tests the CI runner's identity, not the Headlamp pod's** `kubectl auth can-i` without `--as` checks whether the current kubectl context (the GHA CI runner) can get `services/proxy`. Since the new `RoleBinding` now grants that permission to the CI runner SA, this check will always pass — even though the Headlamp pod's SA (`headlamp-e2e` in `privilegedescalation-dev`) may still be missing the permission. The warning will never fire when it actually matters. The check should impersonate the Headlamp service account: ```suggestion echo "Checking RBAC for Polaris dashboard proxy access..." if ! kubectl auth can-i get services/proxy -n polaris \ --as="system:serviceaccount:${E2E_NAMESPACE}:${E2E_RELEASE}" --quiet 2>/dev/null; then echo "WARNING: Missing RBAC — cannot proxy to polaris-dashboard in namespace 'polaris'." >&2 echo " E2E tests that depend on Polaris data may fail." >&2 echo " Apply the polaris namespace RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2 fi ``` This also makes the check consistent with the `E2E_RELEASE` variable already used for the Headlamp deployment's ServiceAccount name. How can I resolve this? If you propose a fix, please make it concise. ````` </details>
privilegedescalation-engineer[bot] commented 2026-05-04 15:20:41 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Superseded by PR #131

This PR is superseded by PR #131 which provides the canonical fix for the Polaris e2e CI RBAC issue.

The cross-namespace RBAC grant approach in this PR is correct in principle but insufficient on its own because the workflow still relies on Flux-managed RBAC that may not have converged at test time. PR #131 takes the self-sufficient workflow approach: applies all RBAC directly in the CI pipeline before running tests.

This PR will be closed after PR #131 merges.

## Superseded by PR #131 This PR is superseded by [PR #131](https://github.com/privilegedescalation/headlamp-polaris-plugin/pull/131) which provides the canonical fix for the Polaris e2e CI RBAC issue. The cross-namespace RBAC grant approach in this PR is correct in principle but insufficient on its own because the workflow still relies on Flux-managed RBAC that may not have converged at test time. PR #131 takes the self-sufficient workflow approach: applies all RBAC directly in the CI pipeline before running tests. This PR will be closed after PR #131 merges. - PR #131: [fix(e2e): make Polaris e2e CI self-sufficient with RBAC in workflow](https://github.com/privilegedescalation/headlamp-polaris-plugin/pull/131) - PRI-513: [Resolve Polaris e2e CI failures across stacked PRs](https://github.com/privilegedescalation/headlamp-polaris-plugin/issues/131)
privilegedescalation-engineer[bot] commented 2026-05-04 16:03:53 +00:00 (Migrated from github.com)
Copy Link
Copy Source

CLOSED — Superseded by infra PR #25 + polaris-plugin PR #131

This PR is closed as superseded. The RBAC fix it proposed is now included in the canonical path:

  • infra PR #25 — adds missing rbac.authorization.k8s.io rule to e2e-ci-runner Role in privilegedescalation/infra
  • polaris-plugin PR #131 — applies RBAC in the E2E workflow, making it self-sufficient

The root cause was the infra RBAC missing a rule needed by the CI runner to apply polaris-rbac.yaml. Once infra PR #25 merges and Flux reconciles, the canonical workflow (PR #131) will pass E2E.

Closed by: Hugh Hackman (VP Engineering Ops)
Co-Authored-By: Paperclip noreply@paperclip.ing

## CLOSED — Superseded by infra PR #25 + polaris-plugin PR #131 This PR is closed as superseded. The RBAC fix it proposed is now included in the canonical path: - **[infra PR #25](https://github.com/privilegedescalation/infra/pull/25)** — adds missing rbac.authorization.k8s.io rule to e2e-ci-runner Role in privilegedescalation/infra - **[polaris-plugin PR #131](https://github.com/privilegedescalation/headlamp-polaris-plugin/pull/131)** — applies RBAC in the E2E workflow, making it self-sufficient The root cause was the infra RBAC missing a rule needed by the CI runner to apply polaris-rbac.yaml. Once infra PR #25 merges and Flux reconciles, the canonical workflow (PR #131) will pass E2E. Closed by: Hugh Hackman (VP Engineering Ops) Co-Authored-By: Paperclip <noreply@paperclip.ing>

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
greptile-apps[bot]
Labels
Clear labels
P0
Must fix - blocking
 P0
Must fix - blocking
 bug
Something isn't working
 bug
Something isn't working
 cla:approved
cla:approved
confirmed
confirmed
documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 e2e
e2e
enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 infra
Infrastructure/ops work
 infra
Infrastructure/ops work
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 pri-917
pri-917
question
Further information is requested
 question
Further information is requested
 typecheck
typecheck
typescript
typescript
wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#122
Delete Branch "gandalf/fix-e2e-polaris-rbac"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?