From 3c6d77eb49e0554a990ca2889f53bf99ae6aa56f Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sun, 3 May 2026 18:24:21 +0000
Subject: [PATCH] fix(e2e): apply RBAC in workflow before pre-flight check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The E2E workflow now applies both RBAC manifests (e2e-ci-runner-rbac.yaml
and polaris-rbac.yaml) in the same step, then verifies permissions with a
two-namespace pre-flight check. This makes the workflow self-sufficient — no
manual RBAC application or cluster-prep step required before CI runs.

Changes:
- Workflow now applies e2e-ci-runner-rbac.yaml + polaris-rbac.yaml before
  the pre-flight check (previously only applied polaris-rbac.yaml and only
  checked, not applied, e2e-ci-runner-rbac.yaml)
- Pre-flight check verifies can-i delete configmaps in privilegedescalation-dev
  AND can-i get services/proxy in polaris before proceeding
- e2e-ci-runner-rbac.yaml now includes Role + RoleBinding for the polaris
  namespace so the CI runner can apply the dashboard proxy RBAC

Fixes PRI-264 / PRI-324.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/e2e.yaml         | 19 +++++++++++++++++++
 deployment/e2e-ci-runner-rbac.yaml | 27 +++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 37f33a9..ffaf397 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -45,6 +45,25 @@ jobs:
       - name: Setup kubectl
         uses: azure/setup-kubectl@v4
 
+      - name: Apply RBAC for E2E workflow
+        run: |
+          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+          kubectl apply -f deployment/polaris-rbac.yaml
+
+      - name: RBAC pre-flight check
+        run: |
+          echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
+          if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
+            echo "::error::RBAC not applied or insufficient in ${E2E_NAMESPACE} — cannot proceed."
+            exit 1
+          fi
+          echo "Checking RBAC permissions in polaris namespace..."
+          if ! kubectl auth can-i get services/proxy -n polaris --quiet 2>/dev/null; then
+            echo "::error::RBAC not applied or insufficient in polaris — cannot proceed."
+            exit 1
+          fi
+          echo "All RBAC pre-flight checks passed."
+
       - name: Install dependencies
         run: npm ci
 
diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index ea93cff..e3b610f 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -44,3 +44,30 @@ roleRef:
   kind: Role
   name: e2e-ci-runner
   apiGroup: rbac.authorization.k8s.io
+---
+# RBAC for the CI runner to apply and verify Polaris dashboard RBAC.
+# The E2E workflow applies deployment/polaris-rbac.yaml (Role + RoleBinding in polaris ns)
+# and the pre-flight check verifies the proxy-reader role is present.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner-polaris
+  namespace: polaris
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-polaris-binding
+  namespace: polaris
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner-polaris
+  apiGroup: rbac.authorization.k8s.io
-- 
2.52.0