Skip to content

Role support of individual verbs list for different resources

The role rules definition supports the definition of only one list of resources with its corresponding verbs list.

The problem is that not all resources support the same list of verbs and the current implementation can lead to deployment errors on hardened k8s clusters that require explicit rules and reject *.

Current behavior

When defining explicit rules like:

rbac:
  create: true
  ## Define specific rbac permissions.
  resources: ["pods", "pods/exec", "secrets"]
  verbs: ["get", "list", "watch", "create", "patch", "delete"]

the hardened kubernetes cluster will reject it with the error:

Error: roles.rbac.authorization.k8s.io "gitlab-runner" is forbidden: user "dev" (groups=["dev" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:[""], Resources:["pods/exec"], Verbs:["get" "list" "watch"]}

Proposed change

Add support for defining multiple rules with the same structure as the k8s role definition:

rbac:
  create: true
  ## Define specific rbac permissions.
  # resources: ["pods", "pods/exec", "secrets"]
  # verbs: ["get", "list", "watch", "create", "patch", "delete"]

  rules:
  - resources: ["pods", "secrets"]
    verbs: ["get", "list", "watch", "create", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create", "patch", "delete"]
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information