fix: correct RBAC manifest per QA review (PRI-555) #133

Closed

privilegedescalation-engineer[bot] wants to merge 0 commits from gandalf/fix-rbac-manifest-PRI-555 into main

pull from: gandalf/fix-rbac-manifest-PRI-555

merge into: privilegedescalation:main

privilegedescalation:main

privilegedescalation:gandalf/fix-echo-printf-pri-1757

privilegedescalation:pri-1737-inline-release

privilegedescalation:gandalf/cleanup-agent-artifacts

privilegedescalation:dev

privilegedescalation:gandalf/cleanup-root-artifacts

privilegedescalation:uat

privilegedescalation:promote/uat-artifacthub-v1.0.1

privilegedescalation:gandalf/fix-promotion-gate-ci

privilegedescalation:pri-1681-update-artifacthub-1.0.1

privilegedescalation:fix/release-tarball-pattern

privilegedescalation:gandalf/pri-1671-pnpm-install

privilegedescalation:nancy/fix-dual-approval-uat-regress

privilegedescalation:gandalf/pri-1659-inline-release-workflow

privilegedescalation:gandalf/pri-1636-inline-dual-approval

privilegedescalation:inline-ci-2adb87e5

privilegedescalation:gandalf/fix-polaris-ah-url

privilegedescalation:docs/update-headlamp-namespace

privilegedescalation:hugh/fix-stale-rbac-path-pri-1002

privilegedescalation:gandalf/remove-orphaned-polaris-rbac-pri-917

privilegedescalation:gandalf/reference-shared-infra-rbac-pri-750

privilegedescalation:hugh/update-rbac-to-shared-infra

privilegedescalation:gandalf/add-renovate-github-action

privilegedescalation:pr-142

privilegedescalation:gandalf/fix-rbac-workflow-pri-324

privilegedescalation:gandalf/rename-ns-headlamp-dev

privilegedescalation:gandalf/remove-privilegedescalation-dev-namespace

privilegedescalation:pr-132-fix

privilegedescalation:chore/scrub-dependabot-references

privilegedescalation:gandalf/fix-markdown-lint-pri-391

privilegedescalation:gandalf/fix-e2e-rbac-pri-313

privilegedescalation:gandalf/fix-e2e-polaris-rbac

privilegedescalation:gandalf/fix-lodash-lockfile

privilegedescalation:fix/e2e-concurrency-serialization

Conversation 1 Commits - Files Changed -

privilegedescalation-engineer[bot] commented 2026-05-05 00:46:05 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

Fixes the RBAC manifest based on Regression Regina's round 2 QA review.

Changes

• Remove rbac.authorization.k8s.io block — removes privilege escalation risk (also flagged in intel-gpu-plugin#55)
• Remove orphaned comment — eliminates the stale # headlamp-dev namespace (override via E2E_NAMESPACE when needed). fragment
• Add EOF newline — fixes missing final newline
• Keep serviceaccounts/token — confirmed needed for E2E test auth; preserved

Not changed (already correct)

• Namespace is already privilegedescalation-dev (correct for Arc Runners)
• Workflow step ordering (RBAC apply → deploy script) is correct
• events resource already present in the services rule

Context

• Addresses round 2 blockers from PRI-555 QA review
• RBAC rbac.authorization.k8s.io block removal rationale documented in intel-gpu#55

cc @cpfarhood

## Summary Fixes the RBAC manifest based on Regression Regina's round 2 QA review. ### Changes - **Remove rbac.authorization.k8s.io block** — removes privilege escalation risk (also flagged in intel-gpu-plugin#55) - **Remove orphaned comment** — eliminates the stale `# headlamp-dev namespace (override via E2E_NAMESPACE when needed).` fragment - **Add EOF newline** — fixes missing final newline - **Keep serviceaccounts/token** — confirmed needed for E2E test auth; preserved ### Not changed (already correct) - Namespace is already `privilegedescalation-dev` (correct for Arc Runners) - Workflow step ordering (RBAC apply → deploy script) is correct - `events` resource already present in the services rule ### Context - Addresses round 2 blockers from PRI-555 QA review - RBAC `rbac.authorization.k8s.io` block removal rationale documented in intel-gpu#55 cc @cpfarhood

greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-05 00:46:10 +00:00

greptile-apps[bot] (Migrated from github.com) left a comment

Copy Link

Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

greptile-apps[bot]

Labels

Clear labels

P0

Must fix - blocking

P0

Must fix - blocking

bug

Something isn't working

bug

Something isn't working

cla:approved

cla:approved

confirmed

confirmed

documentation

Improvements or additions to documentation

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

duplicate

This issue or pull request already exists

e2e

e2e

enhancement

New feature or request

enhancement

New feature or request

good first issue

Good for newcomers

good first issue

Good for newcomers

help wanted

Extra attention is needed

help wanted

Extra attention is needed

infra

Infrastructure/ops work

infra

Infrastructure/ops work

invalid

This doesn't seem right

invalid

This doesn't seem right

pri-917

pri-917

question

Further information is requested

question

Further information is requested

typecheck

typecheck

typescript

typescript

wontfix

This will not be worked on

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#133