Auto DevOps support for RBAC
Auto DevOps does not currently support interacting with RBAC-enabled k8s clusters.
Auto DevOps deploys its own Tiller, to the project's namespace and creates the project namespace if it doesn't exist
- Automatically creates service account/role restricted to only the project's namespace
- Place service account info in environment variables, available on the Runner
- Update script to deploy Helm with the above account/role
The major drawback here is that we by default share a common namespace across all environments in a single cluster. This means that you run the risk of code in a review branch being able to delete production.
Multiple clusters would solve that risk, but reduces the value of shared compute. We may also want to consider more first class support for namespaces per environment, similar to clusters. If RBAC works, you in theory don't need multiple clusters just namespaces.
VERSION: GKE: v1.8.5-gke.0 GITLAB-CE: 10.3.3
ERROR: $ deploy Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:demo-15:default" cannot list configmaps in the namespace "demo-15": Unknown user "system:serviceaccount:demo-15:default"
WORKAROUND kubectl create clusterrolebinding demo-15-cluster-rule --clusterrole=cluster-admin --serviceaccount=demo-15:default