Improve the default RBAC permission for GitLab Runner (!36) · Merge requests · GitLab.org / project-templates / Cluster Management

Julian Paul Dasmarinas requested to merge gitlab-runner-rbac into master Dec 01, 2021

The default RBAC rule created by the GItlab Runner Helm chart is:

rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["*"]

This is quite wide and it's not compatible with the RBAC permission of GitLab Kubernetes Agent. If someone used GitLab Kubernetes Agent with the Cluster Management Project template to deploy GitLab Runner without changing the RBAC permission, it will result in the following error:

Error: UPGRADE FAILED: failed to create resource: roles.rbac.authorization.k8s.io "runner-gitlab-runner" is forbidden: user "system:serviceaccount:gitlab-kubernetes-agent:gitlab-agent" (groups=["system:serviceaccounts" "system:serviceaccounts:gitlab-kubernetes-agent" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:[""], Resources:["*"], Verbs:["*"]}

This was also reported by one of our customers (internal)

To improve the user experience and security, it's better to add a fine-grained default RBAC permission, which I took here: gitlab-org/gitlab-runner#28167 (comment 663095319)

Improve the default RBAC permission for GitLab Runner

Merge request reports