From 6e9c97593c6fa0c1e4b7d603c6237ad22c86a1b5 Mon Sep 17 00:00:00 2001
From: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Date: Sat, 21 Mar 2026 19:51:18 +0000
Subject: [PATCH 1/5] fix: move E2E test namespace from default to
 privilegedescalation-dev
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per org RBAC policy, development/testing Headlamp instances must run in
`privilegedescalation-dev`, not `default`. Agents only have read-write
access in `privilegedescalation` and `privilegedescalation-dev` — the
`default` namespace is outside our permitted scope.

Updated:
- deployment/e2e-ci-runner-rbac.yaml: Role/RoleBinding now targets privilegedescalation-dev
- deployment/headlamp-e2e-values.yaml: comment updated
- scripts/deploy-e2e-headlamp.sh: default namespace changed
- scripts/teardown-e2e-headlamp.sh: default namespace changed

Note: .github/workflows/e2e.yaml still sets E2E_NAMESPACE: default and
needs a separate update — delegated to Hugh Hackman (workflow owner).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 deployment/e2e-ci-runner-rbac.yaml  | 10 +++++-----
 deployment/headlamp-e2e-values.yaml |  2 +-
 scripts/deploy-e2e-headlamp.sh      |  8 ++++----
 scripts/teardown-e2e-headlamp.sh    |  4 ++--
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index d806f6b..e6f32e2 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -2,9 +2,9 @@
 # RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
 # CI-only test fixture — NOT for production use.
 #
-# Grants the ARC runner service account permissions in the default namespace
-# to deploy and tear down a dedicated Headlamp instance via Helm.
-# E2E resources run in `default` — nothing persists beyond a test run.
+# Grants the ARC runner service account permissions in the privilegedescalation-dev
+# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
+# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
 #
 # Plugin is loaded via ConfigMap volume mount — no custom Docker images.
 #
@@ -14,7 +14,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: e2e-ci-runner
-  namespace: default
+  namespace: privilegedescalation-dev
 rules:
   # Helm needs to manage these resources for the Headlamp chart
   - apiGroups: ["apps"]
@@ -35,7 +35,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: e2e-ci-runner-binding
-  namespace: default
+  namespace: privilegedescalation-dev
 subjects:
   - kind: ServiceAccount
     name: runners-privilegedescalation-gha-rs-no-permission
diff --git a/deployment/headlamp-e2e-values.yaml b/deployment/headlamp-e2e-values.yaml
index 37d6539..8bd540d 100644
--- a/deployment/headlamp-e2e-values.yaml
+++ b/deployment/headlamp-e2e-values.yaml
@@ -7,7 +7,7 @@
 #
 # Usage:
 #   helm install headlamp-e2e headlamp/headlamp \
-#     -n default \
+#     -n privilegedescalation-dev \
 #     -f deployment/headlamp-e2e-values.yaml \
 #     --set image.registry=ghcr.io \
 #     --set image.repository=headlamp-k8s/headlamp \
diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh
index 08512cc..2f1798c 100755
--- a/scripts/deploy-e2e-headlamp.sh
+++ b/scripts/deploy-e2e-headlamp.sh
@@ -5,8 +5,8 @@
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
-# E2E resources are deployed to the `default` namespace. Nothing persists
-# beyond the test run — teardown cleans up all created resources.
+# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing
+# persists beyond the test run — teardown cleans up all created resources.
 #
 # Prerequisites:
 #   - Plugin built (dist/ exists with plugin-main.js + package.json)
@@ -15,7 +15,7 @@
 #   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
 #
 # Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: default)
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: privilegedescalation-dev)
 #   E2E_RELEASE       — Helm release name (default: headlamp-e2e)
 #   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
 set -euo pipefail
@@ -23,7 +23,7 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"
 
-E2E_NAMESPACE="${E2E_NAMESPACE:-default}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"
 
diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh
index b936851..cf310cf 100755
--- a/scripts/teardown-e2e-headlamp.sh
+++ b/scripts/teardown-e2e-headlamp.sh
@@ -4,13 +4,13 @@
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
 # Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: default)
+#   E2E_NAMESPACE  — namespace to clean up (default: privilegedescalation-dev)
 #   E2E_RELEASE    — Helm release to uninstall (default: headlamp-e2e)
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 
-E2E_NAMESPACE="${E2E_NAMESPACE:-default}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 
 echo "=== E2E Headlamp Teardown ==="
-- 
2.52.0


From f0f3bd51a404635ddfcff057fbd1d47ac9a2f368 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Sat, 21 Mar 2026 20:01:04 +0000
Subject: [PATCH 2/5] ci: change E2E_NAMESPACE from default to
 privilegedescalation-dev
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Align workflow with org RBAC policy — agents have read-write access only
in privilegedescalation-dev, not the default namespace.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/e2e.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index c70e4ae..aa50bfa 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -11,7 +11,7 @@ permissions:
   contents: read
 
 env:
-  E2E_NAMESPACE: default
+  E2E_NAMESPACE: privilegedescalation-dev
   E2E_RELEASE: headlamp-e2e
 
 jobs:
-- 
2.52.0


From 3d91572b5925e8dd17780feb22083bd6e131cc38 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Sat, 21 Mar 2026 20:05:08 +0000
Subject: [PATCH 3/5] fix: update Headlamp Helm repo URL to kubernetes-sigs

The Headlamp project moved from headlamp-k8s to kubernetes-sigs GitHub org.
The old chart URL https://headlamp-k8s.github.io/headlamp/ now returns 404.
Updated to https://kubernetes-sigs.github.io/headlamp/.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 scripts/deploy-e2e-headlamp.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh
index 2f1798c..77378ba 100755
--- a/scripts/deploy-e2e-headlamp.sh
+++ b/scripts/deploy-e2e-headlamp.sh
@@ -62,7 +62,7 @@ kubectl create configmap headlamp-polaris-plugin \
 # --- Deploy with Helm ---
 echo ""
 echo "Adding Headlamp Helm repo..."
-helm repo add headlamp https://headlamp-k8s.github.io/headlamp/ --force-update
+helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/ --force-update
 helm repo update
 
 echo "Installing/upgrading Headlamp E2E instance..."
-- 
2.52.0


From d6c8a8bbfc26d34228fb3e0613b77be3cc179ddb Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Sat, 21 Mar 2026 20:08:25 +0000
Subject: [PATCH 4/5] fix: disable ClusterRoleBinding creation in E2E Helm
 values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Headlamp chart defaults to creating a ClusterRoleBinding, but the
ARC runner service account lacks cluster-scoped RBAC permissions. E2E
tests only need Headlamp to serve the UI — no cluster-admin required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 deployment/headlamp-e2e-values.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/deployment/headlamp-e2e-values.yaml b/deployment/headlamp-e2e-values.yaml
index 8bd540d..dddd973 100644
--- a/deployment/headlamp-e2e-values.yaml
+++ b/deployment/headlamp-e2e-values.yaml
@@ -17,6 +17,9 @@ config:
   pluginsDir: /headlamp/plugins
   watchPlugins: false
 
+clusterRoleBinding:
+  create: false
+
 service:
   type: ClusterIP
 
-- 
2.52.0


From ca4832bcc3459c758fe7f223b6838fe57897f7bc Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Sat, 21 Mar 2026 20:10:32 +0000
Subject: [PATCH 5/5] fix: add watch verb to
 services/serviceaccounts/configmaps/secrets in RBAC

Helm --wait requires watch on these resources to track rollout readiness.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 deployment/e2e-ci-runner-rbac.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index e6f32e2..ea93cff 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -22,7 +22,7 @@ rules:
     verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
   - apiGroups: [""]
     resources: ["services", "serviceaccounts", "configmaps", "secrets"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "list", "watch"]
-- 
2.52.0