fix(e2e): grant cross-namespace RBAC for Polaris dashboard proxy access #122
Closed
privilegedescalation-engineer[bot] wants to merge 1 commits from
gandalf/fix-e2e-polaris-rbac into main
pull from: gandalf/fix-e2e-polaris-rbac
merge into: privilegedescalation:main
privilegedescalation:main
privilegedescalation:gandalf/fix-echo-printf-pri-1757
privilegedescalation:pri-1737-inline-release
privilegedescalation:gandalf/cleanup-agent-artifacts
privilegedescalation:dev
privilegedescalation:gandalf/cleanup-root-artifacts
privilegedescalation:uat
privilegedescalation:promote/uat-artifacthub-v1.0.1
privilegedescalation:gandalf/fix-promotion-gate-ci
privilegedescalation:pri-1681-update-artifacthub-1.0.1
privilegedescalation:fix/release-tarball-pattern
privilegedescalation:gandalf/pri-1671-pnpm-install
privilegedescalation:nancy/fix-dual-approval-uat-regress
privilegedescalation:gandalf/pri-1659-inline-release-workflow
privilegedescalation:gandalf/pri-1636-inline-dual-approval
privilegedescalation:inline-ci-2adb87e5
privilegedescalation:gandalf/fix-polaris-ah-url
privilegedescalation:docs/update-headlamp-namespace
privilegedescalation:hugh/fix-stale-rbac-path-pri-1002
privilegedescalation:gandalf/remove-orphaned-polaris-rbac-pri-917
privilegedescalation:gandalf/reference-shared-infra-rbac-pri-750
privilegedescalation:hugh/update-rbac-to-shared-infra
privilegedescalation:gandalf/add-renovate-github-action
privilegedescalation:pr-142
privilegedescalation:gandalf/fix-rbac-workflow-pri-324
privilegedescalation:gandalf/rename-ns-headlamp-dev
privilegedescalation:gandalf/remove-privilegedescalation-dev-namespace
privilegedescalation:pr-132-fix
privilegedescalation:gandalf/fix-rbac-manifest-PRI-555
privilegedescalation:chore/scrub-dependabot-references
privilegedescalation:gandalf/fix-markdown-lint-pri-391
privilegedescalation:gandalf/fix-e2e-rbac-pri-313
privilegedescalation:gandalf/fix-lodash-lockfile
privilegedescalation:fix/e2e-concurrency-serialization
1 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 Hugh Hackman
|
4826604a02 |
fix(e2e): grant cross-namespace RBAC for Polaris dashboard proxy access
The E2E Headlamp instance runs in privilegedescalation-dev but needs to proxy to the Polaris dashboard service in the polaris namespace to fetch audit results. Root cause: - E2E tests consistently fail with 'Polaris dashboard not reachable' because the in-cluster Headlamp (running as ServiceAccount headlamp-e2e-test in privilegedescalation-dev) lacks permission to proxy to polaris-dashboard in the polaris namespace - The default RBAC only covered the privilegedescalation-dev namespace - The error manifests as a 503 from the Kubernetes API proxy, causing the loading spinner to persist indefinitely in E2E runs Fix: - Add a new Role + RoleBinding for the polaris namespace that grants get+proxy on the polaris-dashboard service - The ARC runner's ServiceAccount (runners-privilegedescalation-gha-rs-no-permission in arc-runners) is the subject for both bindings, matching the existing pattern - Add a pre-flight check in deploy-e2e-headlamp.sh that warns if Polaris proxy RBAC is missing, so CI output makes the issue self-diagnosing Note: This RBAC change must be applied to the cluster before E2E runs will pass. The deploy script detects and warns about the missing permission. Co-Authored-By: Paperclip <noreply@paperclip.ing> |