Fix e2e test RBAC: add bind/escalate verbs

camilamacedo86 · camilamacedo86 · commit 5e67f841ea16 · 2026-01-07T18:16:12.000Z
Scoped ServiceAccount clients need `bind` and `escalate` verbs
to create ClusterRoleBindings. The admin client previously used
bypassed this RBAC requirement.

The documentation (docs/concepts/permission-model.md) already specifies
that ServiceAccounts need `bind` and `escalate` verbs for RBAC resources
to install extensions with their own RBAC.

The e2e test template was missing these verbs, causing tests to fail when
using scoped ServiceAccount clients (which properly enforce Kubernetes RBAC)
instead of the admin client.
diff --git a/test/e2e/steps/testdata/rbac-template.yaml b/test/e2e/steps/testdata/rbac-template.yaml
@@ -50,7 +50,7 @@ rules:
       - roles
       - clusterrolebindings
       - rolebindings
-    verbs: [ update, create, list, watch, get, delete, patch ]
+    verbs: [ update, create, list, watch, get, delete, patch, bind, escalate ]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: [ update, create, list, watch, get, delete, patch ]
