GitLab not giving permission to edit Knative services unless Knative is installed by GitLab
Problem to solve
GitLab's service accounts passed into CI are not given the relevant permissions to create a service
in the namespace unless Knative helm chart was installed via GitLab. We create a service account with edit
role for the namespace but edit
won't include the CRDs used by Knative (ie. Service
) unless we explicitly configure it to.
Intended users
developers, operators.
Further details
Proposal
We have a couple of options though:
- We do the same thing our custom Knative chart is doing and define the right role so that
edit
is also allowed to edit services per docs in https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles - Give the user explicit edit the services as well as their existing
edit
role
Since the user has not done anything to tell us about Knative being installed it's tricky to know when we should do this. We could just always check if the cluster has Knative CRD available and if so we configure aggregate rule (per 1). It's not ideal that we have to do this for any cluster regardless of whether the user asked for Knative but there may not be any other way since the users don't tell us ahead of time they are planning to use Knative.