Deploy KAS as a tenant in a multi-tenant cluster

Hey there,

you have some great software here. I am happy that you work on such a great integration of k8s into gitlab. Sadly, i must find out, that the configuration generator assumes, that the user can create a ClusterRole and a ClusterRoleBinding. But both are mostly disabled in a multi-tenant k8s cluster for the obvious reasons. Everythings works fine until i deployed the agent in my namespace with the help of your documentation.

At first, i run the command like specified and given via the gitlab UI:

docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --agent-token=<my-agent-token> --kas-address=wss://<my-institutions-gitlab-instance> --agent-version stable --namespace <my-namespace>  | kubectl apply -f -

This deployed the agent in my namespace but printed out some errors about cilium (we use an alternative for this, i think), clusterrole and clusterrolebindings (as i said before: this is expected). So i saved the generated manifest into a file. First i removed the cilium part and rename clusterrole to Role and ClusterRoleBinding to RoleBinding. After this, i got the issue, that the manifest uses "*", but i cannot use all resourses, which kubectl api-resources prints out (e.g. ClusterRoleBinding and ClusterRole). So this creates new issues for me.

I tried to do my research, but i cannot find out which permissions are only needed for the agent (and how to do it in the manifest), so here we are. Maybe you can help me and point me to the right direction to make the agent works in a multi-tenant environment without the need to specify Cluster-wide Roles and Bindings.

My cluster administrators suggests to work with their ArgoCD instance, so if we cannot figure this out, i need to go this way. But i would like to use kubectl in my cicd for a better devops experience for my team.

Thank you for your help and have a great time.