How do I apply RBAC permissions to service accounts created by Gitlab?

Infrastructure as Code & Cloud Native
,
1

:thinking: Issue description

“Gitlab managed service accounts” are not able to access the IngressRoute resource. I can create a custom role and apply it, but the problem is I have to do this after Gitlab creates it.

:point_right: Is there a way to apply custom RBAC permissions to all service accounts created by Gitlab?

:open_book: More detail

I have an existing issue open when Gitlab attempts to run a deployment with IngressRoute with Traefik v2 as the Ingress Controller.

You can see this has to do with my system:serviceaccount:alpha-test-8-production:alpha-test-8-production-service-account does not have the correct permission to manage IngressRoute (which to my understanding is a CRD created by Traefik v2).

I also posted on the Traefik forums, where I received a helpful response:

Example RBAC Policy to Apply 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: alpha-sa
  namespace: default

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: role-with-privileges-to-deploy
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "create", "list", "update", "patch"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "create", "list", "update", "patch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutes"]
    verbs: ["get", "create", "list", "update", "patch"]
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: user-with-privileges
  namespace: default
subjects:
  - kind: ServiceAccount
    name: alpha-sa
    namespace: default
roleRef:
  kind: Role
  name: role-with-privileges-to-deploy
  apiGroup: rbac.authorization.k8s.io

---

I can apply the RBAC policy to my already created user, but I how do I apply this to all service accounts created by Gitlab?

:earth_americas: Environment

Version info

  • Gitlab Version: 13.9.0 (self-managed)
  • Gitlab Runner: 13.9.0
  • K3s Version: 1.19.7

How K8s is connected

image
image1738×546 78.3 KB

:raised_hands: Thank you for your help!

I greatly appreciate your time and the entire Gitlab community. Thank you for building such a beautiful product! If there is any other additional information needed to help clarify anything, please let me know!

UPDATE:

I think it has something to do with the new Cluster Management project settings:

Screen Shot 2021-02-23 at 5.59.39 PM
Screen Shot 2021-02-23 at 5.59.39 PM2102×510 69.4 KB

2

Hi,

I’m running into this issue as well, in my case with the ScaledObjects resource in the keda.sh ApiGroup. Gitlab creates a review application in a new namespace with its own service account for each branch; is there a way to add the required Keda Role and RoleBinding for this service account automatically to allow it to create the ScaledObjects as part of the deployment?

Thanks,

3

I had the same issue. Turns out the admin clusterrole was missing the permissions I needed, this is the clusterrole which gitlab uses for its permissions for its serviceaccounts.

However you can’t just edit the admin clusterrole. It’s an aggregate clusterrole - Using RBAC Authorization | Kubernetes

What you need to do is create a new clusterrole or modify an existing one to have the permissions you need for your CRD. Then make sure that clusterrole has the label rbac.authorization.k8s.io/aggregate-to-admin: "true" and things should all work.

You can double check that’s the label you need by editing the admin clusterrole and looking for the matchLabels attribute.

1 Like