I am currently trying to integrate GitLab CI/CD and Rancher. I need to run GITLAB runner inside the kubernetes cluster. GitLab runner will create deployments, pods etc. Here the problem is assigning RBAC to the GitLab admin service account. Our Strict company policy doesn't allow users to bind roles to service account. Which complicates the things. Is there any approach I could try. I have tried GitLab AutoDevops and Kubernetes executor( as runner).
Our Strict company policy doesn't allow users to bind roles to service account.
It is not possible to programmatically create deployments without a service account with appropriate roles.
Default RBAC policies grant scoped permissions to control-plane components, nodes, and controllers, but grant no permissions to service accounts outside the kube-system namespace (beyond discovery permissions given to all authenticated users).
This allows you to grant particular roles to particular service accounts as needed.
That is why the most secure way as of now is to grant a role to an application-specific service account that lives in particular namespace (and that's a best practice as well) .
However, that is not achievable with such a strict policies (no role bindings for service accounts).
Hope that helps.