privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
3c6d77eb49e0554a990ca2889f53bf99ae6aa56f
headlamp-polaris-plugin/deployment/e2e-ci-runner-rbac.yaml
T
Chris Farhood 3c6d77eb49 fix(e2e): apply RBAC in workflow before pre-flight check 
The E2E workflow now applies both RBAC manifests (e2e-ci-runner-rbac.yaml
and polaris-rbac.yaml) in the same step, then verifies permissions with a
two-namespace pre-flight check. This makes the workflow self-sufficient — no
manual RBAC application or cluster-prep step required before CI runs.

Changes:
- Workflow now applies e2e-ci-runner-rbac.yaml + polaris-rbac.yaml before
  the pre-flight check (previously only applied polaris-rbac.yaml and only
  checked, not applied, e2e-ci-runner-rbac.yaml)
- Pre-flight check verifies can-i delete configmaps in privilegedescalation-dev
  AND can-i get services/proxy in polaris before proceeding
- e2e-ci-runner-rbac.yaml now includes Role + RoleBinding for the polaris
  namespace so the CI runner can apply the dashboard proxy RBAC

Fixes PRI-264 / PRI-324.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-03 18:24:21 +00:00

74 lines
2.4 KiB
YAML
Raw Blame History

---
# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
# CI-only test fixture — NOT for production use.
#
# Grants the ARC runner service account permissions in the privilegedescalation-dev
# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
#
# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
#
# Prerequisites:
# kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner
namespace: privilegedescalation-dev
rules:
# Helm needs to manage these resources for the Headlamp chart
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
- apiGroups: [""]
resources: ["services", "serviceaccounts", "configmaps", "secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# Token creation for E2E test auth
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-binding
namespace: privilegedescalation-dev
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner
apiGroup: rbac.authorization.k8s.io
---
# RBAC for the CI runner to apply and verify Polaris dashboard RBAC.
# The E2E workflow applies deployment/polaris-rbac.yaml (Role + RoleBinding in polaris ns)
# and the pre-flight check verifies the proxy-reader role is present.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner-polaris
namespace: polaris
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-polaris-binding
namespace: polaris
subjects:
- kind: ServiceAccount
name: runners-privilegedescalation-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner-polaris
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink