privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix(e2e): apply both RBAC manifests in workflow before pre-flight check #125

Closed
privilegedescalation-engineer[bot] wants to merge 1 commits from fix/e2e-workflow-rbac into main
pull from: fix/e2e-workflow-rbac
merge into: privilegedescalation:main
Conversation 3 Commits 1 Files Changed 2
+46
2 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/e2e.yaml
+19
View File
@@ -45,6 +45,25 @@ jobs:
- name: Setup kubectl
uses: azure/setup-kubectl@v4
- name: Apply RBAC for E2E workflow
run: |
kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
kubectl apply -f deployment/polaris-rbac.yaml
- name: RBAC pre-flight check
run: |
echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
echo "::error::RBAC not applied or insufficient in ${E2E_NAMESPACE} — cannot proceed."
exit 1
fi
echo "Checking RBAC permissions in polaris namespace..."
if ! kubectl auth can-i get services/proxy -n polaris --quiet 2>/dev/null; then
echo "::error::RBAC not applied or insufficient in polaris — cannot proceed."
exit 1
fi
echo "All RBAC pre-flight checks passed."
- name: Install dependencies
run: npm ci
deployment/e2e-ci-runner-rbac.yaml
+27
View File
@@ -44,3 +44,30 @@ roleRef:
kind: Role
name: e2e-ci-runner
apiGroup: rbac.authorization.k8s.io
---
# RBAC for the CI runner to apply and verify Polaris dashboard RBAC.
# The E2E workflow applies deployment/polaris-rbac.yaml (Role + RoleBinding in polaris ns)
# and the pre-flight check verifies the proxy-reader role is present.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner-polaris
namespace: polaris
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-polaris-binding
namespace: polaris
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner-polaris
apiGroup: rbac.authorization.k8s.io