“Gitlab managed service accounts” are not able to access the
IngressRoute resource. I can create a custom role and apply it, but the problem is I have to do this after Gitlab creates it.
Is there a way to apply custom RBAC permissions to all service accounts created by Gitlab?
I have an existing issue open when Gitlab attempts to run a deployment with
IngressRoute with Traefik v2 as the Ingress Controller.
You can see this has to do with my
system:serviceaccount:alpha-test-8-production:alpha-test-8-production-service-account does not have the correct permission to manage
IngressRoute (which to my understanding is a CRD created by Traefik v2).
I also posted on the Traefik forums, where I received a helpful response:
Example RBAC Policy to Apply
apiVersion: v1 kind: ServiceAccount metadata: name: alpha-sa namespace: default --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: role-with-privileges-to-deploy rules: - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "create", "list", "update", "patch"] - apiGroups: [""] resources: ["services"] verbs: ["get", "create", "list", "update", "patch"] - apiGroups: ["traefik.containo.us"] resources: ["ingressroutes"] verbs: ["get", "create", "list", "update", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: user-with-privileges namespace: default subjects: - kind: ServiceAccount name: alpha-sa namespace: default roleRef: kind: Role name: role-with-privileges-to-deploy apiGroup: rbac.authorization.k8s.io ---
I can apply the RBAC policy to my already created user, but I how do I apply this to all service accounts created by Gitlab?
- Gitlab Version: 13.9.0 (self-managed)
- Gitlab Runner: 13.9.0
- K3s Version: 1.19.7
How K8s is connected
Thank you for your help!
I greatly appreciate your time and the entire Gitlab community. Thank you for building such a beautiful product! If there is any other additional information needed to help clarify anything, please let me know!
I think it has something to do with the new Cluster Management project settings: