### Background: RBAC support has been added for GitLab integrated Kubernetes clusters - to support this, service accounts with high permission levels is created for the cluster. * `gitlab` ServiceAccount has `cluster-admin` * `tiller` ServiceAccount has `cluster-admin` **What questions are you trying to answer?** This is a discussion issue to gather input about appropriate permission levels for the service accounts that GitLab manages **Are you looking to verify an existing hypothesis or uncover new issues you should be exploring?** **What is the backstory of this project and how does it impact the approach?** **What do you already know about the areas you are exploring?** The `gitlab` serviceaccount is a replacement for using GKE admin user and password. **What does success look like at the end of the project?** The smallest set of privileges is assigned to each managed service account ### Links / references: * https://docs.gitlab.com/ee/user/project/clusters/index.html#role-based-access-control-rbac * https://gitlab.com/gitlab-org/gitlab-ce/issues/29398