Meta: Auto DevOps support for RBAC
Problem to solve
Auto DevOps does not currently support interacting with RBAC-enabled k8s clusters.
Further details
Auto DevOps deploys its own Tiller, to the project's namespace and creates the project namespace if it doesn't exist
Proposal
- Automatically creates service account/role restricted to only the project's namespace - https://gitlab.com/gitlab-org/gitlab-ce/issues/51716
- Place service account info in environment variables, available on the Runner - https://gitlab.com/gitlab-org/gitlab-ce/issues/51716
- Update script to deploy Helm with the above account/role - gitlab-ci-yml#82 (closed)
Alternative Proposal
- Use local tiller for enabling RBAC on Auto DevOps - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22036
- Add a QA spec for RBAC cluster and auto devops - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22025
Documentation issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/51717
The major drawback here is that we by default share a common namespace across all environments in a single cluster. This means that you run the risk of code in a review branch being able to delete production.
Multiple clusters would solve that risk, but reduces the value of shared compute. We may also want to consider more first class support for namespaces per environment, similar to clusters. If RBAC works, you in theory don't need multiple clusters just namespaces.
What does success look like, and how can we measure that?
- Users that create clusters using GitLab's k8s integration will be able to use auto devops when using rbac-enabled clusters
- Users that bring their own rbac-enabled cluster will be able to take advantage of all auto devops features.
Links / references
-----original report-------
VERSION:
GKE: v1.8.5-gke.0
GITLAB-CE: 10.3.3
ERROR: $ deploy Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:demo-15:default" cannot list configmaps in the namespace "demo-15": Unknown user "system:serviceaccount:demo-15:default"
WORKAROUND kubectl create clusterrolebinding demo-15-cluster-rule --clusterrole=cluster-admin --serviceaccount=demo-15:default
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.