I am currently trying to integrate GitLab CI/CD and Rancher. I need to run GITLAB runner inside the kubernetes cluster. GitLab runner will create deployments, pods etc. Here the problem is assigning RBAC to the GitLab admin service account. Our Strict company policy doesn't allow users to bind roles to service account. Which complicates the things. Is there any approach I could try. I have tried GitLab AutoDevops and Kubernetes executor( as runner).
Asked
Active
Viewed 334 times
-1
-
I think your company doesn't understand what service accounts are for then? You kind of need to use RBAC if they are going to do much. – coderanger Feb 24 '20 at 11:13
-
Please [edit] your question title so that it has some description of the problem you're having or question you're asking. All you've done with your current title is to repeat information already available in the tags. Your current title is useless to future readers who are scanning through a list of search results trying to find an answer to their problem because it contains no information as to what it contains. – Ken White Feb 25 '20 at 13:24
1 Answers
0
Our Strict company policy doesn't allow users to bind roles to service account.
It is not possible to programmatically create deployments without a service account with appropriate roles.
Default RBAC policies grant scoped permissions to control-plane components, nodes, and controllers, but grant no permissions to service accounts outside the kube-system namespace (beyond discovery permissions given to all authenticated users).
This allows you to grant particular roles to particular service accounts as needed.
That is why the most secure way as of now is to grant a role to an application-specific service account that lives in particular namespace (and that's a best practice as well) .
However, that is not achievable with such a strict policies (no role bindings for service accounts).
Hope that helps.
Nick
- 1,882
- 11
- 16