Skip to content

GitLab not giving permission to edit Knative services unless Knative is installed by GitLab

Problem to solve

GitLab's service accounts passed into CI are not given the relevant permissions to create a service in the namespace unless Knative helm chart was installed via GitLab. We create a service account with edit role for the namespace but edit won't include the CRDs used by Knative (ie. Service) unless we explicitly configure it to.

Intended users

developers, operators.

Further details

Proposal

We have a couple of options though:

  1. We do the same thing our custom Knative chart is doing and define the right role so that edit is also allowed to edit services per docs in https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
  2. Give the user explicit edit the services as well as their existing edit role

Since the user has not done anything to tell us about Knative being installed it's tricky to know when we should do this. We could just always check if the cluster has Knative CRD available and if so we configure aggregate rule (per 1). It's not ideal that we have to do this for any cluster regardless of whether the user asked for Knative but there may not be any other way since the users don't tell us ahead of time they are planning to use Knative.

Permissions and Security

Documentation

Testing

What does success look like, and how can we measure that?

Links / references

Edited by Dylan Griffith