gandalf-the-greybeard[bot]
d00fabbd58
E2E tests fail with 403 because users lack RBAC to proxy to the Polaris dashboard service. The plugin reads audit data via the K8s service proxy at /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/. Add deployment/polaris-rbac.yaml with: - Role granting `get` on `services/proxy` for polaris-dashboard - RoleBinding granting this to all authenticated users (read-only) The E2E workflow also needs a `kubectl apply -f deployment/polaris-rbac.yaml` step added before running tests. This requires the `workflows` permission on the GitHub App, which is tracked separately. Refs: PRI-28 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
29 lines
923 B
YAML
29 lines
923 B
YAML
# RBAC to allow authenticated users to proxy to the Polaris dashboard service.
|
|
# The polaris plugin reads audit data via the Kubernetes service proxy:
|
|
# /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/results.json
|
|
# Without this Role + RoleBinding, users get a 403 when Headlamp proxies the request.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: polaris-dashboard-proxy-reader
|
|
namespace: polaris
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["services/proxy"]
|
|
resourceNames: ["polaris-dashboard", "http:polaris-dashboard:80"]
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: polaris-dashboard-proxy-reader
|
|
namespace: polaris
|
|
subjects:
|
|
- kind: Group
|
|
name: system:authenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: Role
|
|
name: polaris-dashboard-proxy-reader
|
|
apiGroup: rbac.authorization.k8s.io
|