Skip to content

Extend RBAC to create service account restricted to project's namespace

Extend RBAC support to automatically create service account/role restricted to only the project's namespace and expose it as environment variable

Proposal:

  • We need to create a ServiceAccount and a RoleBinding with edit access, under project's namespace.
  • Replace KUBE_TOKEN and KUBECONFIG (passed to CI) with new credentials
  • Remove the prompt that reads:
The default cluster configuration grants access to many functionalities needed to successfully build and deploy a containerised application. More information

Backend - To do

List of MR's

  1. Rails models (with respective migration) - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22404
  2. Integration with the cluster/kubernetes services - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22011
  3. Database background migration. - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22433
  4. Introduce RoleBinding methods and class - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22524
  5. Introduce new Kubernetes spec helpers - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22525
  6. Changes to cluster views - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22550
  7. Documentation - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22810/

Extra (optional /follow-ups):

  1. Add cleanup worker that would remove degenerated namespaces (project_id=nil). https://gitlab.com/gitlab-org/gitlab-ce/issues/53591
  2. Remove fallback_default_namespace after migration. https://gitlab.com/gitlab-org/gitlab-ce/issues/53585
  3. Remove kubernetes_service integration. https://gitlab.com/gitlab-org/gitlab-ce/issues/39217
  4. Remove extra branch on Clusters::Platforms::Kubernetes https://gitlab.com/gitlab-org/gitlab-ce/issues/53586
  5. Compatibility with group clusters https://gitlab.com/gitlab-org/gitlab-ce/issues/53592
Edited by Daniel Gruesso