From d26049a778e6cc2674a6753c7f502c8d473bec50 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Mon, 16 Mar 2026 09:19:17 +0000
Subject: [PATCH] infra: add RBAC manifest for E2E runner Headlamp deploy
 access

The self-hosted GitHub Actions runner SA needs pod list/get and
pods/exec permissions in kube-system to deploy plugin files to
Headlamp during E2E tests. Without this, the deploy step fails
with a 403 Forbidden error.

A cluster admin must apply this manifest to unblock E2E.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 deployment/e2e-runner-rbac.yaml | 35 +++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 deployment/e2e-runner-rbac.yaml

diff --git a/deployment/e2e-runner-rbac.yaml b/deployment/e2e-runner-rbac.yaml
new file mode 100644
index 0000000..0f2ee19
--- /dev/null
+++ b/deployment/e2e-runner-rbac.yaml
@@ -0,0 +1,35 @@
+# RBAC for GitHub Actions E2E runner to deploy plugins to Headlamp.
+#
+# The self-hosted runner SA needs to:
+#   - list/get pods in kube-system (to find the Headlamp pod)
+#   - exec into the Headlamp pod (to copy plugin files and restart)
+#
+# Apply with: kubectl apply -f deployment/e2e-runner-rbac.yaml
+#
+# Adjust the ServiceAccount name/namespace if your runner setup differs.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-runner-headlamp-deploy
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["list", "get"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-runner-headlamp-deploy
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: local-ubuntu-latest-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-runner-headlamp-deploy
+  apiGroup: rbac.authorization.k8s.io
-- 
2.52.0