diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 37f33a9..ffaf397 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -45,6 +45,25 @@ jobs:
       - name: Setup kubectl
         uses: azure/setup-kubectl@v4
 
+      - name: Apply RBAC for E2E workflow
+        run: |
+          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+          kubectl apply -f deployment/polaris-rbac.yaml
+
+      - name: RBAC pre-flight check
+        run: |
+          echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
+          if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
+            echo "::error::RBAC not applied or insufficient in ${E2E_NAMESPACE} — cannot proceed."
+            exit 1
+          fi
+          echo "Checking RBAC permissions in polaris namespace..."
+          if ! kubectl auth can-i get services/proxy -n polaris --quiet 2>/dev/null; then
+            echo "::error::RBAC not applied or insufficient in polaris — cannot proceed."
+            exit 1
+          fi
+          echo "All RBAC pre-flight checks passed."
+
       - name: Install dependencies
         run: npm ci
 
diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index ea93cff..e3b610f 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -44,3 +44,30 @@ roleRef:
   kind: Role
   name: e2e-ci-runner
   apiGroup: rbac.authorization.k8s.io
+---
+# RBAC for the CI runner to apply and verify Polaris dashboard RBAC.
+# The E2E workflow applies deployment/polaris-rbac.yaml (Role + RoleBinding in polaris ns)
+# and the pre-flight check verifies the proxy-reader role is present.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner-polaris
+  namespace: polaris
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-polaris-binding
+  namespace: polaris
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner-polaris
+  apiGroup: rbac.authorization.k8s.io