Chris Farhood
a65743dea3
The RBAC pre-flight check workflow step (commit 46350c5) verifies that
polaris-dashboard-proxy-reader Role and RoleBinding exist in the polaris
namespace before running E2E tests. However, the CI runner's RBAC
(e2e-ci-runner-role in privilegedescalation-dev) did not include
permission to read roles/rolebindings in the polaris namespace, causing
the pre-flight check to fail with a generic kubectl error on all branches.
Fix: add rules to e2e-ci-runner-role allowing get on roles/rolebindings in
privilegedescalation-dev (for the pre-flight check itself), plus a new
Role + RoleBinding in the polaris namespace granting the runner read
access to rbac resources there.
Without this fix, the pre-flight check exits 1 on every branch until someone
SSHs into the runner pod and manually applies the polaris RBAC manifest —
which they shouldn't need to do.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
76 lines
2.4 KiB
YAML
76 lines
2.4 KiB
YAML
---
|
|
# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
|
|
# CI-only test fixture — NOT for production use.
|
|
#
|
|
# Grants the ARC runner service account permissions in the privilegedescalation-dev
|
|
# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
|
|
# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
|
|
#
|
|
# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
|
|
#
|
|
# Prerequisites:
|
|
# kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: e2e-ci-runner
|
|
namespace: privilegedescalation-dev
|
|
rules:
|
|
# Helm needs to manage these resources for the Headlamp chart
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["services", "serviceaccounts", "configmaps", "secrets"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "list", "watch"]
|
|
# Token creation for E2E test auth
|
|
- apiGroups: [""]
|
|
resources: ["serviceaccounts/token"]
|
|
verbs: ["create"]
|
|
# RBAC pre-flight check: verify polaris namespace has proxy-reader Role + RoleBinding
|
|
# before running E2E tests. Required by the "RBAC pre-flight check" workflow step.
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
|
resources: ["roles", "rolebindings"]
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: e2e-ci-runner-polaris-reader
|
|
namespace: polaris
|
|
rules:
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
|
resources: ["roles", "rolebindings"]
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: e2e-ci-runner-polaris-reader-binding
|
|
namespace: polaris
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: runners-privilegedescalation-gha-rs-no-permission
|
|
namespace: arc-runners
|
|
roleRef:
|
|
kind: Role
|
|
name: e2e-ci-runner-polaris-reader
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: e2e-ci-runner-binding
|
|
namespace: privilegedescalation-dev
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: runners-privilegedescalation-gha-rs-no-permission
|
|
namespace: arc-runners
|
|
roleRef:
|
|
kind: Role
|
|
name: e2e-ci-runner
|
|
apiGroup: rbac.authorization.k8s.io
|