RBAC permissions for Kubernetes integration

Background:

RBAC support has been added for GitLab integrated Kubernetes clusters - to support this, service accounts with high permission levels is created for the cluster.

gitlab ServiceAccount has cluster-admin
tiller ServiceAccount has cluster-admin

What questions are you trying to answer?

This is a discussion issue to gather input about appropriate permission levels for the service accounts that GitLab manages

Are you looking to verify an existing hypothesis or uncover new issues you should be exploring?

What is the backstory of this project and how does it impact the approach?

What do you already know about the areas you are exploring?

The gitlab serviceaccount is a replacement for using GKE admin user and password.

What does success look like at the end of the project?

The smallest set of privileges is assigned to each managed service account

Links / references:

https://docs.gitlab.com/ee/user/project/clusters/index.html#role-based-access-control-rbac
https://gitlab.com/gitlab-org/gitlab-ce/issues/29398

Edited Sep 27, 2018 by Thong Kuah