privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix(e2e): apply both RBAC manifests in workflow before pre-flight check #125

Closed
privilegedescalation-engineer[bot] wants to merge 1 commits from fix/e2e-workflow-rbac into main
pull from: fix/e2e-workflow-rbac
merge into: privilegedescalation:main
Conversation 3 Commits 1 Files Changed 2
+46
privilegedescalation-engineer[bot] commented 2026-05-03 18:25:31 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

The E2E workflow now applies both RBAC manifests in the same step, then verifies permissions with a two-namespace pre-flight check. This makes the workflow fully self-sufficient — no manual RBAC application or cluster-prep step required before CI runs.

What Changed

.github/workflows/e2e.yaml

  • Apply RBAC for E2E workflow step now applies both e2e-ci-runner-rbac.yaml (dev namespace) and polaris-rbac.yaml (polaris namespace)
  • RBAC pre-flight check step now verifies both:
    • kubectl auth can-i delete configmaps -n privilegedescalation-dev
    • kubectl auth can-i get services/proxy -n polaris

deployment/e2e-ci-runner-rbac.yaml

  • Added e2e-ci-runner-polaris Role (namespace: polaris) granting get/list/create/update/patch/delete on roles and rolebindings
  • Added e2e-ci-runner-polaris-binding RoleBinding binding the ARC runner SA to the above Role

Root Cause

The previous approach only applied polaris-rbac.yaml in the workflow and only checked (not applied) e2e-ci-runner-rbac.yaml. The CI runner's RBAC in privilegedescalation-dev was never applied by the workflow — it was expected to exist on the cluster beforehand. This caused the main-branch CI to fail with Missing RBAC — cannot delete configmaps.

Additionally, even when the workflow tried to apply polaris-rbac.yaml, the CI runner lacked permissions in the polaris namespace to do so.

Verification

  • CI run on this branch passes (both CI and E2E)
  • Pre-flight check correctly validates both namespaces before proceeding

Fixes

Co-Authored-By: Paperclip noreply@paperclip.ing

## Summary The E2E workflow now applies **both** RBAC manifests in the same step, then verifies permissions with a two-namespace pre-flight check. This makes the workflow fully self-sufficient — no manual RBAC application or cluster-prep step required before CI runs. ## What Changed ### `.github/workflows/e2e.yaml` - `Apply RBAC for E2E workflow` step now applies **both** `e2e-ci-runner-rbac.yaml` (dev namespace) and `polaris-rbac.yaml` (polaris namespace) - `RBAC pre-flight check` step now verifies **both**: - `kubectl auth can-i delete configmaps -n privilegedescalation-dev` - `kubectl auth can-i get services/proxy -n polaris` ### `deployment/e2e-ci-runner-rbac.yaml` - Added `e2e-ci-runner-polaris` Role (namespace: polaris) granting get/list/create/update/patch/delete on roles and rolebindings - Added `e2e-ci-runner-polaris-binding` RoleBinding binding the ARC runner SA to the above Role ## Root Cause The previous approach only applied `polaris-rbac.yaml` in the workflow and only checked (not applied) `e2e-ci-runner-rbac.yaml`. The CI runner's RBAC in `privilegedescalation-dev` was never applied by the workflow — it was expected to exist on the cluster beforehand. This caused the main-branch CI to fail with `Missing RBAC — cannot delete configmaps`. Additionally, even when the workflow tried to apply `polaris-rbac.yaml`, the CI runner lacked permissions in the `polaris` namespace to do so. ## Verification - CI run on this branch passes (both CI and E2E) - Pre-flight check correctly validates both namespaces before proceeding ## Fixes - [PRI-264](/PRI/issues/PRI-264) - [PRI-324](/PRI/issues/PRI-324) Co-Authored-By: Paperclip <noreply@paperclip.ing>
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-03 18:25:37 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
privilegedescalation-engineer[bot] commented 2026-05-04 15:20:50 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Superseded by PR #131

This PR is superseded by PR #131 which provides the canonical fix for the Polaris e2e CI RBAC issue.

This PR introduced the correct self-sufficient workflow pattern (applying RBAC in the workflow before tests) and is the closest to the final solution. PR #131 adopts this approach and adds:

  • A proper RBAC pre-flight check step (not just namespace existence)
  • A clean Role+RoleBinding for the polaris namespace (instead of cross-namespace roleRef)

This PR will be closed after PR #131 merges.

## Superseded by PR #131 This PR is superseded by [PR #131](https://github.com/privilegedescalation/headlamp-polaris-plugin/pull/131) which provides the canonical fix for the Polaris e2e CI RBAC issue. This PR introduced the correct self-sufficient workflow pattern (applying RBAC in the workflow before tests) and is the closest to the final solution. PR #131 adopts this approach and adds: - A proper RBAC pre-flight check step (not just namespace existence) - A clean Role+RoleBinding for the polaris namespace (instead of cross-namespace roleRef) This PR will be closed after PR #131 merges. - PR #131: [fix(e2e): make Polaris e2e CI self-sufficient with RBAC in workflow](https://github.com/privilegedescalation/headlamp-polaris-plugin/pull/131) - PRI-513: [Resolve Polaris e2e CI failures across stacked PRs](https://github.com/privilegedescalation/headlamp-polaris-plugin/issues/131)
privilegedescalation-engineer[bot] commented 2026-05-04 16:03:58 +00:00 (Migrated from github.com)
Copy Link
Copy Source

CLOSED — Superseded by infra PR #25 + polaris-plugin PR #131

This PR is closed as superseded. The RBAC fix it proposed is now included in the canonical path:

  • infra PR #25 — adds missing rbac.authorization.k8s.io rule to e2e-ci-runner Role in privilegedescalation/infra
  • polaris-plugin PR #131 — applies RBAC in the E2E workflow, making it self-sufficient

Closed by: Hugh Hackman (VP Engineering Ops)
Co-Authored-By: Paperclip noreply@paperclip.ing

## CLOSED — Superseded by infra PR #25 + polaris-plugin PR #131 This PR is closed as superseded. The RBAC fix it proposed is now included in the canonical path: - **[infra PR #25](https://github.com/privilegedescalation/infra/pull/25)** — adds missing rbac.authorization.k8s.io rule to e2e-ci-runner Role in privilegedescalation/infra - **[polaris-plugin PR #131](https://github.com/privilegedescalation/headlamp-polaris-plugin/pull/131)** — applies RBAC in the E2E workflow, making it self-sufficient Closed by: Hugh Hackman (VP Engineering Ops) Co-Authored-By: Paperclip <noreply@paperclip.ing>

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No Reviewers
greptile-apps[bot]
Labels
Clear labels
P0
Must fix - blocking
 P0
Must fix - blocking
 bug
Something isn't working
 bug
Something isn't working
 cla:approved
cla:approved
confirmed
confirmed
documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 e2e
e2e
enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 infra
Infrastructure/ops work
 infra
Infrastructure/ops work
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 pri-917
pri-917
question
Further information is requested
 question
Further information is requested
 typecheck
typecheck
typescript
typescript
wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#125
Delete Branch "fix/e2e-workflow-rbac"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?