From 4826604a02c32685a2d99e4046937b9a2607b873 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation>
Date: Mon, 27 Apr 2026 01:12:08 +0000
Subject: [PATCH] fix(e2e): grant cross-namespace RBAC for Polaris dashboard
 proxy access

The E2E Headlamp instance runs in privilegedescalation-dev but needs to proxy
to the Polaris dashboard service in the polaris namespace to fetch audit results.

Root cause:
- E2E tests consistently fail with 'Polaris dashboard not reachable' because
  the in-cluster Headlamp (running as ServiceAccount headlamp-e2e-test in
  privilegedescalation-dev) lacks permission to proxy to polaris-dashboard
  in the polaris namespace
- The default RBAC only covered the privilegedescalation-dev namespace
- The error manifests as a 503 from the Kubernetes API proxy, causing
  the loading spinner to persist indefinitely in E2E runs

Fix:
- Add a new Role + RoleBinding for the polaris namespace that grants
  get+proxy on the polaris-dashboard service
- The ARC runner's ServiceAccount (runners-privilegedescalation-gha-rs-no-permission
  in arc-runners) is the subject for both bindings, matching the existing pattern
- Add a pre-flight check in deploy-e2e-headlamp.sh that warns if Polaris
  proxy RBAC is missing, so CI output makes the issue self-diagnosing

Note: This RBAC change must be applied to the cluster before E2E runs will
pass. The deploy script detects and warns about the missing permission.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 deployment/e2e-ci-runner-rbac.yaml | 27 +++++++++++++++++++++++++++
 scripts/deploy-e2e-headlamp.sh     |  7 +++++++
 2 files changed, 34 insertions(+)

diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index ea93cff..1faa860 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -44,3 +44,30 @@ roleRef:
   kind: Role
   name: e2e-ci-runner
   apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner
+  namespace: polaris
+rules:
+  # E2E Headlamp needs to proxy to the Polaris dashboard service to fetch audit results.
+  # The service account in privilegedescalation-dev is granted get+proxy on polaris-dashboard.
+  - apiGroups: [""]
+    resources: ["services/proxy"]
+    verbs: ["get"]
+    resourceNames: ["polaris-dashboard"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-binding
+  namespace: polaris
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner
+  apiGroup: rbac.authorization.k8s.io
diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh
index 528c017..b87ba1a 100755
--- a/scripts/deploy-e2e-headlamp.sh
+++ b/scripts/deploy-e2e-headlamp.sh
@@ -39,6 +39,13 @@ if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/nul
   exit 1
 fi
 
+echo "Checking RBAC for Polaris dashboard proxy access..."
+if ! kubectl auth can-i get services/proxy -n polaris --quiet 2>/dev/null; then
+  echo "WARNING: Missing RBAC — cannot proxy to polaris-dashboard in namespace 'polaris'." >&2
+  echo "  E2E tests that depend on Polaris data may fail." >&2
+  echo "  Apply the polaris namespace RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
+fi
+
 echo "=== E2E Headlamp Deployment ==="
 echo "  Image:     ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}"
 echo "  Namespace: $E2E_NAMESPACE"
-- 
2.52.0