privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
0cd9eb041de9a657ff864f366887518e3cfd48eb
headlamp-polaris-plugin/deployment/e2e-ci-runner-rbac.yaml
T
Chris Farhood 0cd9eb041d Add polaris namespace RBAC for CI runner 
The E2E workflow now applies deployment/polaris-rbac.yaml before
the pre-flight check to make the workflow self-sufficient. This requires
the CI runner to have permissions in the polaris namespace.

Before: CI runner could only READ roles/rolebindings in polaris (for
the detection step). After: CI runner can APPLY the RBAC manifest
and manage the resulting Role + RoleBinding.

This is a pure infrastructure/RBAC change — no application code modified.

Fixes: PRI-324

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-03 18:06:07 +00:00

82 lines
2.6 KiB
YAML
Raw Blame History

---
# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
# CI-only test fixture — NOT for production use.
#
# Grants the ARC runner service account permissions in the privilegedescalation-dev
# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
#
# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
#
# Prerequisites:
# kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner
namespace: privilegedescalation-dev
rules:
# Helm needs to manage these resources for the Headlamp chart
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
- apiGroups: [""]
resources: ["services", "serviceaccounts", "configmaps", "secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# Token creation for E2E test auth
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
---
# RBAC for CI runner to apply Polaris dashboard RBAC in the polaris namespace.
# The E2E workflow runs `kubectl apply -f deployment/polaris-rbac.yaml` before
# the pre-flight check to make the workflow self-sufficient.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner-polaris
namespace: polaris
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner-polaris
apiGroup: rbac.authorization.k8s.io
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-polaris-binding
namespace: polaris
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner-polaris
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-binding
namespace: privilegedescalation-dev
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink