How do I customize serviceaccount permissions during AutoDeploy?

penguinade · February 11, 2021, 11:01am

I was trying to export the node’s CIDR and External IP addresses so I can indentify where the request was coming from.

In the Deploy step, I’ve added the following command:

export K8S_NODES_CIDRS=$(kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}') # collapsed multi-line command
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:[ZIPPED]-70olbd:[ZIPPED]-70olbd-service-account" cannot list resource "nodes" in API group "" at the cluster scope

Is there a way to set the service account permissions during deploy?

penguinade · February 11, 2021, 1:46pm

Ok, I solved it. I need to create a ClusterRole with ClusterRoleBindings. For future reference, the following config will ALLOW ALL ServiceAccounts to have get, list, watch permissions:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nodes-view
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nodes-view-binding
subjects:
- kind: Group
  name: system:serviceaccounts
roleRef:
  kind: ClusterRole
  name: nodes-view
  apiGroup: rbac.authorization.k8s.io

That’s my current solution.

Since GitLab creates serviceaccount when deploying with name patterns like system:serviceaccount:<namespace>. I can’t find a good way to match these specific accounts. So I have to allow all service accounts for now.

Maybe someone can help me with this?