The E2E Headlamp instance runs in privilegedescalation-dev but needs to proxy
to the Polaris dashboard service in the polaris namespace to fetch audit results.
Root cause:
- E2E tests consistently fail with 'Polaris dashboard not reachable' because
the in-cluster Headlamp (running as ServiceAccount headlamp-e2e-test in
privilegedescalation-dev) lacks permission to proxy to polaris-dashboard
in the polaris namespace
- The default RBAC only covered the privilegedescalation-dev namespace
- The error manifests as a 503 from the Kubernetes API proxy, causing
the loading spinner to persist indefinitely in E2E runs
Fix:
- Add a new Role + RoleBinding for the polaris namespace that grants
get+proxy on the polaris-dashboard service
- The ARC runner's ServiceAccount (runners-privilegedescalation-gha-rs-no-permission
in arc-runners) is the subject for both bindings, matching the existing pattern
- Add a pre-flight check in deploy-e2e-headlamp.sh that warns if Polaris
proxy RBAC is missing, so CI output makes the issue self-diagnosing
Note: This RBAC change must be applied to the cluster before E2E runs will
pass. The deploy script detects and warns about the missing permission.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Hugh Hackman
4826604a02