privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
95a814c91a94349c62115d86468b58c529e2f287
headlamp-polaris-plugin/deployment/e2e-runner-rbac.yaml
T
Gandalf the Greybeard 95a814c91a ci: add ConfigMap + init container E2E plugin deploy (CI-only) 
Adds a CI-only test fixture for deploying freshly-built plugin artifacts
to a test Headlamp instance without kubectl exec/cp. Approved under CTO
decision PRI-200 as a narrowly-scoped CI exception — production plugin
distribution remains ArtifactHub-only.

- scripts/deploy-plugin-to-headlamp.sh: packages plugin as tarball →
  stores in ConfigMap → patches Headlamp deployment with init container
  that extracts to static-plugins volume
- deployment/e2e-runner-rbac.yaml: minimal RBAC (configmaps, deployments,
  replicasets, pods — no exec/cp)
- scripts/deploy-plugin-to-headlamp.test.sh: precondition and policy
  compliance tests (9 assertions)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-16 11:55:21 +00:00

62 lines
2.0 KiB
YAML
Raw Blame History

---
# ============================================================================
# CI-ONLY TEST FIXTURE — NOT part of production deployment.
#
# RBAC for the self-hosted GitHub Actions runner ServiceAccount to deploy
# plugins to Headlamp via ConfigMap + deployment patch in E2E CI.
#
# Approved under CTO decision PRI-200 (narrowly-scoped CI exception).
# Production plugin distribution remains ArtifactHub-only.
# ============================================================================
#
# Grants ONLY the permissions needed by scripts/deploy-plugin-to-headlamp.sh:
# - configmaps: create/get/update (store the plugin tarball)
# - deployments: get/patch (add the init container that extracts the plugin)
# - replicasets: get/list (for kubectl rollout status)
# - pods: get/list (for rollout readiness check)
#
# No pod exec or pod cp access is required.
#
# Apply with:
# kubectl apply -f deployment/e2e-runner-rbac.yaml
#
# The runner SA name comes from the ARC (Actions Runner Controller) deployment.
# Adjust the serviceaccount name/namespace if your runner uses a different identity.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-plugin-deployer
namespace: kube-system
rules:
# Store plugin tarball in a ConfigMap
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "update", "patch"]
# Patch the Headlamp deployment to add the init container
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "patch"]
# Required for kubectl rollout status
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list"]
# Required for rollout status pod readiness check
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-plugin-deployer
namespace: kube-system
subjects:
- kind: ServiceAccount
name: local-ubuntu-latest-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-plugin-deployer
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink