Extend RBAC to create service account restricted to project's namespace
Extend RBAC support to automatically create service account/role restricted to only the project's namespace and expose it as environment variable
Proposal:
- We need to create a ServiceAccount and a RoleBinding with
edit
access, under project's namespace. - Replace
KUBE_TOKEN
andKUBECONFIG
(passed to CI) with new credentials - Remove the prompt that reads:
The default cluster configuration grants access to many functionalities needed to successfully build and deploy a containerised application. More information
Backend - To do
-
Persist namespace information for cluster/project - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22011 -
Create a Kubernetes service account under project's namespace -
Create a RoleBinding with edit
access -
Replace KUBE_TOKEN
andKUBECONFIG
(passed to CI) with new credentials
List of MR's
- Rails models (with respective migration) - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22404
- Integration with the cluster/kubernetes services - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22011
- Database background migration. - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22433
- Introduce
RoleBinding
methods and class - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22524 - Introduce new Kubernetes spec helpers - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22525
- Changes to cluster views - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22550
- Documentation - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22810/
Extra (optional /follow-ups):
- Add cleanup worker that would remove degenerated namespaces (project_id=nil). https://gitlab.com/gitlab-org/gitlab-ce/issues/53591
- Remove
fallback_default_namespace
after migration. https://gitlab.com/gitlab-org/gitlab-ce/issues/53585 - Remove
kubernetes_service
integration. https://gitlab.com/gitlab-org/gitlab-ce/issues/39217 - Remove extra branch on
Clusters::Platforms::Kubernetes
https://gitlab.com/gitlab-org/gitlab-ce/issues/53586 - Compatibility with group clusters https://gitlab.com/gitlab-org/gitlab-ce/issues/53592