diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6507518..a8e4441 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -177,6 +177,36 @@ jobs:
     runs-on: self-hosted-gremlin
     steps:
       - uses: actions/checkout@v5
+
+      - name: Install kubectl
+        run: |
+          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+          chmod +x kubectl
+          mv kubectl /usr/local/bin/kubectl
+          kubectl version --client
+
+      - name: Install Helm
+        run: |
+          curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+          helm version
+
+      - name: Configure kubectl
+        run: |
+          # Use in-cluster service account if available, otherwise skip
+          if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
+            kubectl config set-cluster in-cluster \
+              --server=https://kubernetes.default.svc \
+              --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+            kubectl config set-credentials runner \
+              --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+            kubectl config set-context runner --cluster=in-cluster --user=runner
+            kubectl config use-context runner
+            echo "Using in-cluster service account"
+          else
+            echo "No in-cluster credentials found — kubectl must be pre-configured"
+          fi
+          kubectl cluster-info || echo "WARNING: kubectl cannot reach cluster API"
+
       - name: Run integration tests
         run: |
           bash infra/inttest/run_pipeline.sh \
diff --git a/pipelines/arc/runner-rbac.yaml b/pipelines/arc/runner-rbac.yaml
new file mode 100644
index 0000000..0cc70e7
--- /dev/null
+++ b/pipelines/arc/runner-rbac.yaml
@@ -0,0 +1,15 @@
+# RBAC for ARC runner pods — allows integration tests to create
+# ephemeral namespaces and deploy sandbox infrastructure.
+# The service account is auto-created by the ARC runner scale set chart.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: arc-runner-inttest
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: self-hosted-gremlin-gha-rs-no-permission
+    namespace: arc-system