Use GitLab for AuthN & AuthZ (with RBAC) in attached Kubernetes clusters
Problem Statement
As a Platform Engineer, in order to simplify user management around my infrastructure, I would like to use GitLab as the Single Source of Truth for users accessing attached clusters.
- GitLab users should be able to authenticate themself with the cluster
- GitLab should provide a mechanism to tie Kubernetes RBAC rules to GitLab users based on roles in GitLab projects and groups
Example:
- Project Maintainers have namespace-admin rights on the namespace associated with the project
- Project Developers have read-only rights on the namespace associated with a project
- Project Developers have read-only and deployment rights on the namespace associated with a project
- Group Maintainers have namespace-admin rights on the namespaces associated with any project under the group
- Group Maintainers have namespace-admin rights on the namespace associated with the group
- Group Developers have read-only and deployment rights on the namespace associated with any project under the group
As the above examples show, the RBAC rules might need to be customizable so we can support contradicting rules at different companies, like:
- Project Developers have read-only rights on the namespace associated with a project
- Project Developers have read-only and deployment rights on the namespace associated with a project
Opportunity Canvas (internal)
Solution idea
In the agent configuration
rbac:
groups:
*:
developer: default-developer-rbac.yaml
maintainer: default-maintainer-rbac.yaml
gitlab-org/configure:
developer: default-developer-rbac.yaml
maintainer: default-maintainer-rbac.yaml
projects:
*:
developer: default-developer-rbac.yaml
maintainer: default-maintainer-rbac.yaml
gitlab-org/gitlab:
developer: default-developer-rbac.yaml
maintainer: default-maintainer-rbac.yamlReach
Impact
Confidence
Effort
References
Edited by Viktor Nagy (GitLab)