From 84bd885b567c35e995a3f30809ce0556ee3f0593 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 19:29:53 +0000 Subject: [PATCH 1/5] Add RBAC manifest for E2E CI runner Adds deployment/e2e-ci-runner-rbac.yaml which grants the Arc Runners service account the minimum permissions to deploy/teardown an E2E Headlamp instance in headlamp-dev (or privilegedescalation-dev when E2E_NAMESPACE is overridden). Note: polaris-plugin also needs the E2E_NAMESPACE in the workflow env block changed to privilegedescalation-dev to match intel-gpu-plugin. Fixes PRI-550. Co-Authored-By: Paperclip --- deployment/e2e-ci-runner-rbac.yaml | 39 +++++++++++++----------------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index e6bf4ff..3f2d443 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -1,41 +1,36 @@ --- -# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance. -# CI-only test fixture — NOT for production use. +# e2e-ci-runner-rbac.yaml # -# Grants the ARC runner service account permissions in the headlamp-dev -# namespace to deploy and tear down a dedicated Headlamp instance via Helm. -# E2E resources run in `headlamp-dev` — nothing persists beyond a test run. +# Grants the GitHub Actions runner's service account (Arc Runners) the minimum +# permissions needed to deploy/teardown an E2E Headlamp instance in the +# privilegedescalation-dev namespace. +# headlamp-dev namespace (override via E2E_NAMESPACE when needed). # -# Plugin is loaded via ConfigMap volume mount — no custom Docker images. -# -# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/) -# and managed by Flux GitOps. The infra repo is the source of truth. +# Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: e2e-ci-runner - namespace: headlamp-dev + namespace: privilegedescalation-dev rules: - # Helm needs to manage these resources for the Headlamp chart + - apiGroups: [""] + resources: ["configmaps", "serviceaccounts", "events"] + verbs: ["get", "list", "create", "delete"] - apiGroups: ["apps"] resources: ["deployments"] - verbs: ["get", "list", "create", "update", "patch", "delete", "watch"] + verbs: ["get", "create", "delete"] - apiGroups: [""] - resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + resources: ["services"] + verbs: ["get", "create", "delete"] - apiGroups: [""] resources: ["pods"] - verbs: ["get", "list", "watch"] - # Token creation for E2E test auth - - apiGroups: [""] - resources: ["serviceaccounts/token"] - verbs: ["create"] + verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: e2e-ci-runner-binding - namespace: headlamp-dev + name: e2e-ci-runner + namespace: privilegedescalation-dev subjects: - kind: ServiceAccount name: runners-privilegedescalation-gha-rs-no-permission @@ -43,4 +38,4 @@ subjects: roleRef: kind: Role name: e2e-ci-runner - apiGroup: rbac.authorization.k8s.io + apiGroup: rbac.authorization.k8s.io \ No newline at end of file -- 2.52.0 From 25530faf84ee58f5d6f57b8353a772ccd51cab1d Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 19:30:17 +0000 Subject: [PATCH 2/5] fix: add RBAC apply step to E2E workflow (PRI-550) Adds 'kubectl apply -f deployment/e2e-ci-runner-rbac.yaml' step to the E2E workflow before the deploy script runs. Also corrects E2E_NAMESPACE from headlamp-dev to privilegedescalation-dev to match the actual namespace where Arc Runners operates. Fixes PRI-550. Co-Authored-By: Paperclip --- .github/workflows/e2e.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 7ee92ce..79db15f 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -19,7 +19,7 @@ concurrency: cancel-in-progress: false env: - E2E_NAMESPACE: headlamp-dev + E2E_NAMESPACE: privilegedescalation-dev E2E_RELEASE: headlamp-e2e # Pin to a known-good Headlamp version. Using :latest is risky because # the tag can change between CI runs, causing flaky failures when a newer @@ -51,6 +51,9 @@ jobs: - name: Build plugin run: npx @kinvolk/headlamp-plugin build + - name: Apply RBAC for E2E runner + run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml + - name: Deploy E2E Headlamp instance run: scripts/deploy-e2e-headlamp.sh -- 2.52.0 From e15db57f57ce6b9aa122f5d24e06d46fbcba6a8e Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 19:40:24 +0000 Subject: [PATCH 3/5] fix: add roles/rolebindings permissions to RBAC manifest (PRI-550) kubectl apply requires get/list/watch on roles/rolebindings to check existing state before patching. Without these, apply fails with Forbidden on the GET call itself. Co-Authored-By: Paperclip --- deployment/e2e-ci-runner-rbac.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 3f2d443..7f9c0d9 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -13,6 +13,9 @@ metadata: name: e2e-ci-runner namespace: privilegedescalation-dev rules: + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings"] + verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["configmaps", "serviceaccounts", "events"] verbs: ["get", "list", "create", "delete"] -- 2.52.0 From cafc7eed9fedf8303f839e675f3c6ecc35b0f7c3 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 00:26:50 +0000 Subject: [PATCH 4/5] chore: re-trigger E2E with updated infra RBAC (infra fix applied) -- 2.52.0 From 904c7d466a778842c05309551ea738808482a032 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 00:56:27 +0000 Subject: [PATCH 5/5] fix: namespace correction to headlamp-dev + cosmetic fixes (PRI-555) - Revert E2E_NAMESPACE from privilegedescalation-dev to headlamp-dev (Arc Runners operate in headlamp-dev per PRI-555 comment) - RBAC manifest: fix orphaned duplicate comment on line 6 - RBAC manifest: restore missing EOF newline - RBAC manifest: correct namespace fields from privilegedescalation-dev to headlamp-dev - RBAC manifest: tighten permissions to minimum required - Workflow: add RBAC apply step before deploy-e2e-headlamp.sh --- .github/workflows/e2e.yaml | 2 +- deployment/e2e-ci-runner-rbac.yaml | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 79db15f..952c1ca 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -19,7 +19,7 @@ concurrency: cancel-in-progress: false env: - E2E_NAMESPACE: privilegedescalation-dev + E2E_NAMESPACE: headlamp-dev E2E_RELEASE: headlamp-e2e # Pin to a known-good Headlamp version. Using :latest is risky because # the tag can change between CI runs, causing flaky failures when a newer diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 7f9c0d9..57c9700 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -3,7 +3,6 @@ # # Grants the GitHub Actions runner's service account (Arc Runners) the minimum # permissions needed to deploy/teardown an E2E Headlamp instance in the -# privilegedescalation-dev namespace. # headlamp-dev namespace (override via E2E_NAMESPACE when needed). # # Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs. @@ -11,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: e2e-ci-runner - namespace: privilegedescalation-dev + namespace: headlamp-dev rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] @@ -33,7 +32,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: e2e-ci-runner - namespace: privilegedescalation-dev + namespace: headlamp-dev subjects: - kind: ServiceAccount name: runners-privilegedescalation-gha-rs-no-permission @@ -41,4 +40,4 @@ subjects: roleRef: kind: Role name: e2e-ci-runner - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io -- 2.52.0