privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
76d2bd3d41e086abd7d76cd6bf354b28e749d7e0
headlamp-polaris-plugin/deployment/e2e-runner-rbac.yaml
T
Gandalf the Greybeard 840d55efac refactor: replace kubectl exec/cp plugin deploy with ConfigMap + init container 
Redesigns E2E plugin deployment to eliminate all kubectl exec/cp access to
Headlamp pods, per board policy. The new approach:

1. Packages built plugin as a tarball stored in a ConfigMap
2. Patches the Headlamp deployment with an init container that extracts
   the plugin into the static-plugins volume before Headlamp starts
3. Waits for rollout and verifies readiness

RBAC is reduced to configmaps (create/get/patch), deployments (get/patch),
replicasets and pods (get/list for rollout status) — no exec or cp needed.

Note: .github/workflows/e2e.yaml update requires workflows permission and
must be applied separately by a user with repo admin access.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-16 10:38:34 +00:00

54 lines
1.6 KiB
YAML
Raw Blame History

---
# RBAC for the self-hosted GitHub Actions runner ServiceAccount to deploy
# plugins to Headlamp via ConfigMap + deployment patch.
#
# This grants ONLY the permissions needed by scripts/deploy-plugin-to-headlamp.sh:
# - configmaps: create/get/update (store the plugin tarball)
# - deployments: get/patch (add the init container that extracts the plugin)
# - replicasets: get/list (for kubectl rollout status)
#
# No pod exec or pod cp access is required.
#
# Apply with:
# kubectl apply -f deployment/e2e-runner-rbac.yaml
#
# The runner SA name comes from the ARC (Actions Runner Controller) deployment.
# Adjust the serviceaccount name/namespace if your runner uses a different identity.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-plugin-deployer
namespace: kube-system
rules:
# Store plugin tarball in a ConfigMap
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "update", "patch"]
# Patch the Headlamp deployment to add the init container
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "patch"]
# Required for kubectl rollout status
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list"]
# Required for rollout status pod readiness check
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-plugin-deployer
namespace: kube-system
subjects:
- kind: ServiceAccount
name: local-ubuntu-latest-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-plugin-deployer
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink