privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

Add RBAC pre-flight check to E2E pipeline #123

Closed
privilegedescalation-engineer[bot] wants to merge 6 commits from fix/pri-264-rbac-preflight-check into main
pull from: fix/pri-264-rbac-preflight-check
merge into: privilegedescalation:main
Conversation 13 Commits 6 Files Changed 4
+56 -12

6 Commits

Author SHA1 Message Date
Chris Farhood 7204672799 ci: re-trigger E2E after infra RBAC merge (PRI-380) 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-04 06:12:04 +00:00
Chris Farhood 8c13ecb7a4 ci: re-trigger E2E after infra RBAC merge (PRI-388) 2026-05-04 05:20:06 +00:00
Chris Farhood 25f860652c Rename E2E namespace to headlamp-dev; fix RBAC manifest 
Per CEO directive on PRI-324: the actual cluster namespace for
shared E2E runs is `headlamp-dev`. References to `privilegedescalation-dev`
in the workflow, scripts, and runner RBAC were stale and prevented the
runner SA from acquiring permissions where they were granted on-cluster.

Also fixes the malformed `e2e-ci-runner-polaris` Role added in 0cd9eb0
which incorrectly carried `subjects:` and `roleRef:` (RoleBinding-only
fields) — kept rules-only on the Role and the binding in the matching
RoleBinding below.

Applies QA nits from PR #123: collapsed MISSING_ROLE/MISSING_ROLEBINDING
into a single MISSING flag in the pre-flight step. Dropped the
non-standard `--quiet` flag on get calls (already redirected to /dev/null).
 2026-05-04 00:15:28 +00:00
Chris Farhood 0cd9eb041d Add polaris namespace RBAC for CI runner 
The E2E workflow now applies deployment/polaris-rbac.yaml before
the pre-flight check to make the workflow self-sufficient. This requires
the CI runner to have permissions in the polaris namespace.

Before: CI runner could only READ roles/rolebindings in polaris (for
the detection step). After: CI runner can APPLY the RBAC manifest
and manage the resulting Role + RoleBinding.

This is a pure infrastructure/RBAC change — no application code modified.

Fixes: PRI-324

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-03 18:06:07 +00:00
Chris Farhood 53475296db Apply RBAC manifest in CI before pre-flight check 
Make the E2E workflow self-sufficient by applying the polaris-rbac.yaml
manifest before the pre-flight check, instead of requiring manual
cluster pre-configuration.

Before: workflow checked for RBAC and failed fast, but had no mechanism
to apply it — it was purely a detection step.
After: workflow applies the RBAC manifest (idempotent kubectl apply),
then verifies the resources exist as a correctness check.

Also collapses MISSING_ROLE and MISSING_ROLEBINDING into a single
boolean flag and drops the non-standard --quiet flag on kubectl get.

Fixes: PRI-324

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-03 17:51:46 +00:00
Hugh Hackman 46350c5d57 Add RBAC pre-flight check to E2E pipeline 
Check for polaris-dashboard-proxy-reader Role and RoleBinding before running
E2E tests. Fail fast with a clear error message pointing to the RBAC manifest
instead of letting tests fail with confusing proxy 403 errors.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-01 02:24:18 +00:00