Issue description
“Gitlab managed service accounts” are not able to access the IngressRoute
resource. I can create a custom role and apply it, but the problem is I have to do this after Gitlab creates it.
Is there a way to apply custom RBAC permissions to all service accounts created by Gitlab?
More detail
I have an existing issue open when Gitlab attempts to run a deployment with IngressRoute
with Traefik v2 as the Ingress Controller.
You can see this has to do with my system:serviceaccount:alpha-test-8-production:alpha-test-8-production-service-account
does not have the correct permission to manage IngressRoute
(which to my understanding is a CRD created by Traefik v2).
I also posted on the Traefik forums, where I received a helpful response:
Example RBAC Policy to Apply
apiVersion: v1
kind: ServiceAccount
metadata:
name: alpha-sa
namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: role-with-privileges-to-deploy
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "create", "list", "update", "patch"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "create", "list", "update", "patch"]
- apiGroups: ["traefik.containo.us"]
resources: ["ingressroutes"]
verbs: ["get", "create", "list", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: user-with-privileges
namespace: default
subjects:
- kind: ServiceAccount
name: alpha-sa
namespace: default
roleRef:
kind: Role
name: role-with-privileges-to-deploy
apiGroup: rbac.authorization.k8s.io
---
I can apply the RBAC policy to my already created user, but I how do I apply this to all service accounts created by Gitlab?
Environment
Version info
- Gitlab Version: 13.9.0 (self-managed)
- Gitlab Runner: 13.9.0
- K3s Version: 1.19.7
How K8s is connected
Thank you for your help!
I greatly appreciate your time and the entire Gitlab community. Thank you for building such a beautiful product! If there is any other additional information needed to help clarify anything, please let me know!
UPDATE:
I think it has something to do with the new Cluster Management project settings: