Skip to content

Gitlab operator uses clusterrolebinding in namespaced mode

Summary

When a Gitlab is deployed through the Gitlab operator (OpenShift, installed with OLM), CRB's are created for service accounts of Gitlab, with a clusterRole bound that can even remove namespaces. I don't see why this would be necessary and this is against the guidelines of giving the least priviliged permissions.

Steps to reproduce

Install the Gitlab operator through OLM (1.8.3) and deploy a very basic Gitlab.

Configuration used

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  generateName: gitlab-system-
  annotations:
    olm.providedAPIs: GitLab.v1beta1.apps.gitlab.com
  name: gitlab-system
  namespace: gitlab-system
spec:
  targetNamespaces:
    - gitlab-system
  upgradeStrategy: Default
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
spec:
  channel: stable
  installPlanApproval: Automatic
  name: gitlab-operator-kubernetes
  source: certified-operators
  sourceNamespace: openshift-marketplace
  startingCSV: gitlab-operator-kubernetes.v1.8.3
apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
  name: gitlab
  namespace: gitlab-system
spec:
  chart:
    values:
      certmanager:
        install: false
      global:
        hosts:
          domain: example.com
        image:
          pullPolicy: Always
          tagSuffix: '-ubi'
        ingress:
          enabled: false
          tls:
            enabled: false
      postgresql:
        primary:
          extendedConfiguration: max_connections = 200
      prometheus:
        install: false
    version: 8.7.4

Current behavior

Multiple CRB's get created:

  • gitlab-controller-manager-service-system
  • gitlab-operator-kubernet

A stripped down example from the clusterrole that gets created and is bound to the gitlab-manager sa:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: gitlab-operator-kubernet-x
rules:
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - configmaps
      - endpoints
      - events
      - namespaces
      - persistentvolumeclaims
      - secrets
      - serviceaccounts
      - services

Expected behavior

I don't expect that a namespaced operator creates clusterRoles to work, especially not with these privileges.

Versions

  • Operator: 1.8.3
  • Platform:
    • Self-hosted: OpenShift
  • Kubernetes: (kubectl version)
    • Client: v1.32.0
    • Server: v1.29.8+632b078
    • OpenShift version: 4.16.18