privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
d5d16b2fe374a1ae9338321e1ad7f8dbc5076f16
headlamp-polaris-plugin/deployment/e2e-ci-runner-rbac.yaml
T
Hugh Hackman d5d16b2fe3 fix(e2e): add cluster-scoped RBAC for CI runner 
The Headlamp Helm chart manages ClusterRole and ClusterRoleBinding
resources. The CI runner SA needs cluster-level permissions to
get/update these during helm upgrade. Added ClusterRole and
ClusterRoleBinding alongside the existing namespace-scoped Role.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-17 12:41:24 +00:00

80 lines
2.4 KiB
YAML
Raw Blame History

---
# RBAC for the GitHub Actions CI runner to perform E2E test setup.
# CI-only test fixture — NOT for production use.
#
# The Headlamp Helm chart manages cluster-scoped resources (ClusterRole,
# ClusterRoleBinding). The CI runner SA needs cluster-level read/write on
# these resources for `helm upgrade` to succeed, plus namespace-scoped
# permissions in kube-system for PVCs, pods, Helm secrets, etc.
#
# Apply with: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
# --- Cluster-scoped permissions (for Headlamp Helm chart resources) ---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: e2e-ci-runner
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles", "clusterrolebindings"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: e2e-ci-runner-binding
subjects:
- kind: ServiceAccount
name: local-ubuntu-latest-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: ClusterRole
name: e2e-ci-runner
apiGroup: rbac.authorization.k8s.io
---
# --- Namespace-scoped permissions (kube-system) ---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: e2e-ci-runner
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "create", "delete", "watch"]
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["create", "get"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "patch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: e2e-ci-runner-binding
namespace: kube-system
subjects:
- kind: ServiceAccount
name: local-ubuntu-latest-gha-rs-no-permission
namespace: arc-runners
roleRef:
kind: Role
name: e2e-ci-runner
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink