privilegedescalation/headlamp-rook-plugin
Archived
12
0
Fork 0
Code Issues 8 Pull Requests 1 Actions Packages Projects Releases 14 Wiki Activity

fix(e2e): add cluster-scoped RBAC for E2E service account

Browse Source 
The headlamp-e2e-test service account needs cluster-wide read permissions
for storageclasses, cephclusters, persistentvolumes, and
persistentvolumeclaims so the Rook plugin sidebar can populate these
resources without errors.

- Add ClusterRole headlamp-e2e-test-reader with get/list/watch on
  storageclasses, cephclusters, cephclusters/status, persistentvolumes,
  persistentvolumeclaims
- Add ClusterRoleBinding headlamp-e2e-test-crb binding the role to
  the headlamp-e2e-test service account
- Update teardown to also clean up the ClusterRole and ClusterRoleBinding

Fixes: PRI-741

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-05-05 16:12:03 +00:00
committed by Gandalf the Greybeard [agent]
parent edd4404e70
commit 169d2ec91b
2 changed files with 48 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/teardown-e2e-headlamp.sh
+3 -1
View File
@@ -25,8 +25,10 @@ kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-
echo "Cleaning up ConfigMap..."
kubectl delete configmap headlamp-rook-plugin -n "$E2E_NAMESPACE" --ignore-not-found
echo "Cleaning up test service account..."
echo "Cleaning up test service account and RBAC..."
kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found
kubectl delete clusterrolebinding headlamp-e2e-test-crb --ignore-not-found 2>/dev/null || true
kubectl delete clusterrole headlamp-e2e-test-reader --ignore-not-found 2>/dev/null || true
if [ -f "$REPO_ROOT/.env.e2e" ]; then
rm "$REPO_ROOT/.env.e2e"