Hi, I want to integrate review enironments of kubernetes cluster and crunchy postgres-operator.
I have integrated group k8s cluster with enabled “Namespace per environment” option.
My review deploy section
deploy_review:
stage: deploy
image: alpine/k8s:1.21.2
script:
- apk add --update gettext
- envsubst < .helm/gitlab-role.yaml | kubectl apply -f -
- envsubst < .helm/gitlab-role-binding.yaml | kubectl apply -f -
environment:
name: $CI_COMMIT_REF_SLUG
url: http://$CI_COMMIT_REF_SLUG.$KUBE_INGRESS_BASE_DOMAIN
only:
- /^review/.*$/
tags:
- kubernetes
gitlab-role.yaml With required permission. My KUBE_NAMESPACE is main-234-review-k8s
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: $KUBE_NAMESPACE-pgo-role
namespace: $KUBE_NAMESPACE
rules:
- apiGroups: ["crunchydata.com"]
resources:
- pgclusters
- pgreplicas
- pgpolicies
- pgtasks
verbs:
- delete
- list
So with that config I have permission error into ci/cd pipeline.
Error from server (Forbidden): error when creating "STDIN": roles.rbac.authorization.k8s.io "main-234-review-k8s-pgo-role" is forbidden: user "system:serviceaccount:main-234-review-k8s:main-234-review-k8s-service-account" (groups=["system:serviceaccounts" "system:serviceaccounts:main-234-review-k8s" "system:authenticated"]) is attempting to grant RBAC permissions not currently held
Is there any way to extend gitlab generated roles like this main-234-review-k8s to make them access to custom API groups?