privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix: add RBAC manifest for E2E CI runner + namespace correction (PRI-550) #135

Closed
privilegedescalation-engineer[bot] wants to merge 5 commits from pr-132-fix into main
pull from: pr-132-fix
merge into: privilegedescalation:main
Conversation 1 Commits 5 Files Changed 2
+19 -19
privilegedescalation-engineer[bot] commented 2026-05-05 00:56:42 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

Adds deployment/e2e-ci-runner-rbac.yaml — a Role + RoleBinding granting the Arc Runners service account the minimum permissions to deploy/teardown an E2E Headlamp instance.

Also:

  • Adds kubectl apply -f deployment/e2e-ci-runner-rbac.yaml step to the E2E workflow before the deploy script
  • Corrects E2E_NAMESPACE to headlamp-dev (matching where Arc Runners operate and the deploy script's default)
  • Fixes cosmetic issues in RBAC manifest: orphaned comment and missing EOF newline

Changes

deployment/e2e-ci-runner-rbac.yaml

New RBAC manifest granting minimum permissions for the Arc Runners service account:

  • roles/rolebindings: get, list, watch, create, delete
  • configmaps, serviceaccounts, events: get, list, create, delete
  • deployments: get, create, delete
  • services: get, create, delete
  • pods: get, list

Namespace: headlamp-dev

.github/workflows/e2e.yaml

  • Added Apply RBAC for E2E runner step before Deploy E2E Headlamp instance
  • E2E_NAMESPACE set to headlamp-dev

Fixes

Testing

  • RBAC manifest reviewed locally for YAML validity and minimum permissions
  • Workflow step ordering verified (RBAC apply → deploy)
## Summary Adds `deployment/e2e-ci-runner-rbac.yaml` — a Role + RoleBinding granting the Arc Runners service account the minimum permissions to deploy/teardown an E2E Headlamp instance. Also: - Adds `kubectl apply -f deployment/e2e-ci-runner-rbac.yaml` step to the E2E workflow before the deploy script - Corrects `E2E_NAMESPACE` to `headlamp-dev` (matching where Arc Runners operate and the deploy script's default) - Fixes cosmetic issues in RBAC manifest: orphaned comment and missing EOF newline ## Changes ### deployment/e2e-ci-runner-rbac.yaml New RBAC manifest granting minimum permissions for the Arc Runners service account: - `roles/rolebindings`: get, list, watch, create, delete - `configmaps, serviceaccounts, events`: get, list, create, delete - `deployments`: get, create, delete - `services`: get, create, delete - `pods`: get, list Namespace: `headlamp-dev` ### .github/workflows/e2e.yaml - Added `Apply RBAC for E2E runner` step before `Deploy E2E Headlamp instance` - `E2E_NAMESPACE` set to `headlamp-dev` ## Fixes - [PRI-550](/PRI/issues/PRI-550) ## Testing - RBAC manifest reviewed locally for YAML validity and minimum permissions - Workflow step ordering verified (RBAC apply → deploy)
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-05 00:56:48 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
greptile-apps[bot]
Labels
Clear labels
P0
Must fix - blocking
 P0
Must fix - blocking
 bug
Something isn't working
 bug
Something isn't working
 cla:approved
cla:approved
confirmed
confirmed
documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 e2e
e2e
enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 infra
Infrastructure/ops work
 infra
Infrastructure/ops work
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 pri-917
pri-917
question
Further information is requested
 question
Further information is requested
 typecheck
typecheck
typescript
typescript
wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#135
Delete Branch "pr-132-fix"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?