fix(e2e): grant cross-namespace RBAC for Polaris dashboard proxy access #122
@@ -44,3 +44,30 @@ roleRef:
|
|||||||
kind: Role
|
kind: Role
|
||||||
name: e2e-ci-runner
|
name: e2e-ci-runner
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: e2e-ci-runner
|
||||||
|
namespace: polaris
|
||||||
|
rules:
|
||||||
|
# E2E Headlamp needs to proxy to the Polaris dashboard service to fetch audit results.
|
||||||
|
# The service account in privilegedescalation-dev is granted get+proxy on polaris-dashboard.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["services/proxy"]
|
||||||
|
verbs: ["get"]
|
||||||
|
resourceNames: ["polaris-dashboard"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: e2e-ci-runner-binding
|
||||||
|
namespace: polaris
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: runners-privilegedescalation-gha-rs-no-permission
|
||||||
|
namespace: arc-runners
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: e2e-ci-runner
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
|||||||
|
|||||||
Reference in New Issue
Block a user
The new
RoleBindingin thepolarisnamespace bindsrunners-privilegedescalation-gha-rs-no-permissioninarc-runners— the GHA CI runner — but the PR description identifies the actual failing identity as the in-cluster Headlamp pod, which runs as theheadlamp-e2eServiceAccount inprivilegedescalation-dev. The CI runner never makes proxy calls topolaris-dashboard; the Headlamp pod does. Granting the CI runner SA this permission will not fix the503 / Polaris dashboard not reachableE2E failure.The
subjectsblock should reference the Headlamp SA instead:(If multiple SAs are needed — e.g.
headlamp-e2e-testfor token auth — they can each be listed as a separate subject.)Prompt To Fix With AI