sdk user changes

kryanbeane · kryanbeane · commit 4c0d0727f621 · 2025-05-20T21:53:56.000+01:00
diff --git a/.github/workflows/e2e_tests.yaml b/.github/workflows/e2e_tests.yaml
@@ -173,6 +173,36 @@ jobs:
         with:
           user-name: sdk-user
 
+      - name: Grant sdk-user port-forwarding permissions
+        run: |
+          cat <<EOF | kubectl apply -f -
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: ClusterRole
+          metadata:
+            name: port-forward-permissions
+          rules:
+          - apiGroups: [""]
+            resources: ["services", "pods"]
+            verbs: ["get", "list", "watch"]
+          - apiGroups: [""]
+            resources: ["pods/portforward"]
+            verbs: ["create"]
+          ---
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: ClusterRoleBinding
+          metadata:
+            name: sdk-user-port-forward-binding
+          subjects:
+          - kind: User
+            name: sdk-user
+            apiGroup: rbac.authorization.k8s.io
+          roleRef:
+            kind: ClusterRole
+            name: port-forward-permissions
+            apiGroup: rbac.authorization.k8s.io
+          EOF
+        shell: bash
+
       - name: Configure RBAC for sdk user with limited permissions
         run: |
           kubectl create clusterrole list-ingresses --verb=get,list --resource=ingresses
diff --git a/tests/e2e/local_interactive_sdk_kind_test.py b/tests/e2e/local_interactive_sdk_kind_test.py
@@ -246,19 +246,6 @@ def run_local_interactives(
             generate_cert.generate_tls_cert(cluster_name, self.namespace)
             generate_cert.export_env(cluster_name, self.namespace)
 
-            # Unset server cert/key for client mode if skip_verify is true, to avoid client trying to use them as its own identity.
-            if os.environ.get("RAY_CLIENT_SKIP_TLS_VERIFY") == "1":
-                if "RAY_TLS_SERVER_CERT" in os.environ:
-                    del os.environ["RAY_TLS_SERVER_CERT"]
-                    logger.info(
-                        "Removed RAY_TLS_SERVER_CERT from env for client connection"
-                    )
-                if "RAY_TLS_SERVER_KEY" in os.environ:
-                    del os.environ["RAY_TLS_SERVER_KEY"]
-                    logger.info(
-                        "Removed RAY_TLS_SERVER_KEY from env for client connection"
-                    )
-
             # Start port forwarding
             local_port = "20001"
             ray_client_port = "10001"
