diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 7ee92ce..952c1ca 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -51,6 +51,9 @@ jobs:
       - name: Build plugin
         run: npx @kinvolk/headlamp-plugin build
 
+      - name: Apply RBAC for E2E runner
+        run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+
       - name: Deploy E2E Headlamp instance
         run: scripts/deploy-e2e-headlamp.sh
 
diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index e6bf4ff..57c9700 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -1,40 +1,37 @@
 ---
-# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
-# CI-only test fixture — NOT for production use.
+# e2e-ci-runner-rbac.yaml
 #
-# Grants the ARC runner service account permissions in the headlamp-dev
-# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
-# E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
+# Grants the GitHub Actions runner's service account (Arc Runners) the minimum
+# permissions needed to deploy/teardown an E2E Headlamp instance in the
+# headlamp-dev namespace (override via E2E_NAMESPACE when needed).
 #
-# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
-#
-# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
-# and managed by Flux GitOps. The infra repo is the source of truth.
+# Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: e2e-ci-runner
   namespace: headlamp-dev
 rules:
-  # Helm needs to manage these resources for the Headlamp chart
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["configmaps", "serviceaccounts", "events"]
+    verbs: ["get", "list", "create", "delete"]
   - apiGroups: ["apps"]
     resources: ["deployments"]
-    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
+    verbs: ["get", "create", "delete"]
   - apiGroups: [""]
-    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+    resources: ["services"]
+    verbs: ["get", "create", "delete"]
   - apiGroups: [""]
     resources: ["pods"]
-    verbs: ["get", "list", "watch"]
-  # Token creation for E2E test auth
-  - apiGroups: [""]
-    resources: ["serviceaccounts/token"]
-    verbs: ["create"]
+    verbs: ["get", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: e2e-ci-runner-binding
+  name: e2e-ci-runner
   namespace: headlamp-dev
 subjects:
   - kind: ServiceAccount