Hugh Hackman
2734e0f554
The CI runner service account (runners-privilegedescalation-gha-rs-no-permission) does not have `get` on roles/rolebindings, so kubectl apply returns Forbidden before it can apply anything. This is a circular dependency: the runner needs RBAC to operate, but can't apply its own RBAC. The correct fix is to bootstrap the privilegedescalation/infra repo into the cluster's Flux instance. The RBAC manifest is already at base/rbac/e2e-ci-runner-rbac.yaml with a kustomization — Flux will apply it once the infra-production GitRepository+Kustomization are registered with the cluster's Flux. See: https://github.com/privilegedescalation/headlamp-polaris-plugin/issues/79 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>