How do I apply RBAC permissions to service accounts created by Gitlab?

:thinking: Issue description

“Gitlab managed service accounts” are not able to access the IngressRoute resource. I can create a custom role and apply it, but the problem is I have to do this after Gitlab creates it.

:point_right: Is there a way to apply custom RBAC permissions to all service accounts created by Gitlab?

:open_book: More detail

I have an existing issue open when Gitlab attempts to run a deployment with IngressRoute with Traefik v2 as the Ingress Controller.

You can see this has to do with my system:serviceaccount:alpha-test-8-production:alpha-test-8-production-service-account does not have the correct permission to manage IngressRoute (which to my understanding is a CRD created by Traefik v2).

I also posted on the Traefik forums, where I received a helpful response:

Example RBAC Policy to Apply

apiVersion: v1
kind: ServiceAccount
metadata:
  name: alpha-sa
  namespace: default

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: role-with-privileges-to-deploy
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "create", "list", "update", "patch"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "create", "list", "update", "patch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutes"]
    verbs: ["get", "create", "list", "update", "patch"]
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: user-with-privileges
  namespace: default
subjects:
  - kind: ServiceAccount
    name: alpha-sa
    namespace: default
roleRef:
  kind: Role
  name: role-with-privileges-to-deploy
  apiGroup: rbac.authorization.k8s.io

---

I can apply the RBAC policy to my already created user, but I how do I apply this to all service accounts created by Gitlab?

:earth_americas: Environment

Version info

  • Gitlab Version: 13.9.0 (self-managed)
  • Gitlab Runner: 13.9.0
  • K3s Version: 1.19.7

How K8s is connected

:raised_hands: Thank you for your help!

I greatly appreciate your time and the entire Gitlab community. Thank you for building such a beautiful product! If there is any other additional information needed to help clarify anything, please let me know!

UPDATE:

I think it has something to do with the new Cluster Management project settings:

https://docs.gitlab.com/ee/user/clusters/management_project.html#permissions