Recreate rolebinding because roleRef attr is immutable
What does this MR do?
Recreate rolebinding because roleRef
attr is immutable
Related issue: #31113 (comment 433913108)
Does this MR meet the acceptance criteria?
Testing
Connect a cluster to a project and run a pipeline which contains the following .gitlab-ci.yml
deploy to production:
stage: deploy
script: echo $KUBE_NAMESPACE
environment: production
✅
It recreates an existing rolebinding - The existing rolebinding has
edit
roleRef:
Name: gitlab-stable-going-26-production
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: edit
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount stable-going-26-production-service-account stable-going-26-production
- Enable the
kubernetes_cluster_namespace_role_admin
FF - Clear cluster cache of the cluster, otherwise it will not even attempt to recreate the rolebinding
- Run another CI pipeline. The new rolebinding now has
admin
roleRef:
Name: gitlab-stable-going-26-production
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: admin
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount stable-going-26-production-service-account stable-going-26-production
✅
It creates a new role binding - There's no existing rolebinding,
- Enable the
kubernetes_cluster_namespace_role_admin
FF - Run CI pipeline. The new rolebinding has
admin
roleRef:
Name: gitlab-stable-going-26-review
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: admin
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount stable-going-26-review-service-account stable-going-26-review
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Thong Kuah