Skip to content

Fix read only permissions

John Skarbek requested to merge jts/fix-read-only-permissions into master

This MR contains two changes, one to fix permissions, and second to adjust the formatting of various files to ease editing and viewing in the future. This will first remove the existing secrets-ro Cluster Role, and create a new one ci-ro, and then change the Cluster Role Binding for the k8s-workloads-ro to utilize our new Cluster Role.

Diff

gitlab, secrets-ro, ClusterRole (rbac.authorization.k8s.io) has been removed:
- # Source: raw/templates/resources.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
-   labels:
-     app: raw
-     chart: raw-0.2.3
-     heritage: Tiller
-     release: gitlab-ci-accounts
-   name: secrets-ro
- rules:
- - apiGroups:
-   - ""
-   resources:
-   - secrets
-   verbs:
-   - get
-   - list

gitlab, k8s-workloads-ro, ClusterRoleBinding (rbac.authorization.k8s.io) has changed:
  # Source: raw/templates/resources.yaml
  apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRoleBinding
  metadata:
    labels:
      app: raw
      chart: raw-0.2.3
      heritage: Tiller
      release: gitlab-ci-accounts
    name: k8s-workloads-ro
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
-   name: secrets-ro
+   name: ci-ro
  subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: k8s-workloads-ro@gitlab-production.iam.gserviceaccount.com
gitlab, ci-ro, ClusterRole (rbac.authorization.k8s.io) has been added:

+ # Source: raw/templates/resources.yaml
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+   labels:
+     app: raw
+     chart: raw-0.2.3
+     heritage: Tiller
+     release: gitlab-ci-accounts
+   name: ci-ro
+ rules:
+ - apiGroups:
+   - ""
+   resources:
+   - secrets
+   verbs:
+   - get
+   - list
+ - apiGroups:
+   - admissionregistration.k8s.io
+   resources:
+   - validatingwebhookconfigurations
+   - mutatingwebhookconfigurations
+   verbs:
+   - get
+   - list

7a7f64b4 - Fixes permissions for our CI Read Only Service Account

  • During dry-runs, the monitoring project was lacking the ability to view specific resources
  • This commit adds the necessary RBAC permissions to allow the user to see those objects
  • Since this is no longer specific to secrets, but still specific to the user required for RO permissions for CI, I've decided to rename the ClusterRoleBinding to better define what it's for
  • This also adds a bit of detail regarding the use of minikube as a test ground for this style of change

f9524935 - cleans up the formatting in both our readme as well as the api objects

Closes: gitlab-com/gl-infra/delivery#779 (closed)#

Edited by John Skarbek

Merge request reports