fix(e2e): apply RBAC before deploy step #85

Closed

privilegedescalation-engineer[bot] wants to merge 2 commits from fix/e2e-rbac-apply-step into main

pull from: fix/e2e-rbac-apply-step

merge into: privilegedescalation:main

privilegedescalation:main

privilegedescalation:gandalf/fix-echo-printf-pri-1757

privilegedescalation:pri-1737-inline-release

privilegedescalation:gandalf/cleanup-agent-artifacts

privilegedescalation:dev

privilegedescalation:gandalf/cleanup-root-artifacts

privilegedescalation:uat

privilegedescalation:promote/uat-artifacthub-v1.0.1

privilegedescalation:gandalf/fix-promotion-gate-ci

privilegedescalation:pri-1681-update-artifacthub-1.0.1

privilegedescalation:fix/release-tarball-pattern

privilegedescalation:gandalf/pri-1671-pnpm-install

privilegedescalation:nancy/fix-dual-approval-uat-regress

privilegedescalation:gandalf/pri-1659-inline-release-workflow

privilegedescalation:gandalf/pri-1636-inline-dual-approval

privilegedescalation:inline-ci-2adb87e5

privilegedescalation:gandalf/fix-polaris-ah-url

privilegedescalation:docs/update-headlamp-namespace

privilegedescalation:hugh/fix-stale-rbac-path-pri-1002

privilegedescalation:gandalf/remove-orphaned-polaris-rbac-pri-917

privilegedescalation:gandalf/reference-shared-infra-rbac-pri-750

privilegedescalation:hugh/update-rbac-to-shared-infra

privilegedescalation:gandalf/add-renovate-github-action

privilegedescalation:pr-142

privilegedescalation:gandalf/fix-rbac-workflow-pri-324

privilegedescalation:gandalf/rename-ns-headlamp-dev

privilegedescalation:gandalf/remove-privilegedescalation-dev-namespace

privilegedescalation:pr-132-fix

privilegedescalation:gandalf/fix-rbac-manifest-PRI-555

privilegedescalation:chore/scrub-dependabot-references

privilegedescalation:gandalf/fix-markdown-lint-pri-391

privilegedescalation:gandalf/fix-e2e-rbac-pri-313

privilegedescalation:gandalf/fix-e2e-polaris-rbac

privilegedescalation:gandalf/fix-lodash-lockfile

privilegedescalation:fix/e2e-concurrency-serialization

Conversation 4 Commits 2 Files Changed -

2 Commits

Author	SHA1	Message	Date
Hugh Hackman	2734e0f554	revert(e2e): remove Apply RBAC step — CI runner lacks RBAC read permissions ... The CI runner service account (runners-privilegedescalation-gha-rs-no-permission) does not have `get` on roles/rolebindings, so kubectl apply returns Forbidden before it can apply anything. This is a circular dependency: the runner needs RBAC to operate, but can't apply its own RBAC. The correct fix is to bootstrap the privilegedescalation/infra repo into the cluster's Flux instance. The RBAC manifest is already at base/rbac/e2e-ci-runner-rbac.yaml with a kustomization — Flux will apply it once the infra-production GitRepository+Kustomization are registered with the cluster's Flux. See: https://github.com/privilegedescalation/headlamp-polaris-plugin/issues/79 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 14:16:13 +00:00
Hugh Hackman	088550744f	fix(e2e): apply RBAC before deploy step ... The deploy script preflight check (deploy-e2e-headlamp.sh:37-41) verifies RBAC permissions before proceeding, but the workflow never applied the RBAC manifest. Add the missing Apply RBAC step after Setup Helm and before Deploy. Fixes https://github.com/privilegedescalation/headlamp-polaris-plugin/issues/79 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 14:10:54 +00:00