Hugh Hackman
d26049a778
The self-hosted GitHub Actions runner SA needs pod list/get and pods/exec permissions in kube-system to deploy plugin files to Headlamp during E2E tests. Without this, the deploy step fails with a 403 Forbidden error. A cluster admin must apply this manifest to unblock E2E. Co-Authored-By: Paperclip <noreply@paperclip.ing>
36 lines
990 B
YAML
36 lines
990 B
YAML
# RBAC for GitHub Actions E2E runner to deploy plugins to Headlamp.
|
|
#
|
|
# The self-hosted runner SA needs to:
|
|
# - list/get pods in kube-system (to find the Headlamp pod)
|
|
# - exec into the Headlamp pod (to copy plugin files and restart)
|
|
#
|
|
# Apply with: kubectl apply -f deployment/e2e-runner-rbac.yaml
|
|
#
|
|
# Adjust the ServiceAccount name/namespace if your runner setup differs.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: e2e-runner-headlamp-deploy
|
|
namespace: kube-system
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["list", "get"]
|
|
- apiGroups: [""]
|
|
resources: ["pods/exec"]
|
|
verbs: ["create"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: e2e-runner-headlamp-deploy
|
|
namespace: kube-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: local-ubuntu-latest-gha-rs-no-permission
|
|
namespace: arc-runners
|
|
roleRef:
|
|
kind: Role
|
|
name: e2e-runner-headlamp-deploy
|
|
apiGroup: rbac.authorization.k8s.io
|