K
Q

Can all gitlab managed service account have a certain role binding

5/25/2020

I like to give every gitlab namespace / project (microservices) a ServiceMonitor from monitoring.coreos.com provided by prometheus-operator. But while running a gitlab pipeline creating it, there comes an error that this ressource can not be created by

 servicemonitors.monitoring.coreos.com "service-monitor" is forbidden: User "system:serviceaccount:ABC_NAMESPACE:ABC-dev-service-account" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "ABC_NAMESPACE"

So i workaround for one mircroservice by apply a Role & a RoleBinding for a single namespace but doing that for all is really nice.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: service_cluster_monitor_reader
rules:
  - apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
    resources: ["servicemonitors"]
    verbs: ["get", "create", "update", "patch", "delete"]
---
kind: CluserRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-monitor-binding
subjects:
  - kind: ServiceAccount
    name: gitlab-project-id-dev-service-account
roleRef:
  kind: ClusterRole
  name: service_cluster_monitor_reader
  apiGroup: rbac.authorization.k8s.io

Is it possible to give all gitlab created namespace a role-binding to obtain this permissions?

-- bgeissler
gitlab
gitlab-ci
kubernetes
rbac

Similar Questions

how to run sample controller kubernetes
unable to create Istio bookinfo-gateway.yaml Gateway
Traefik ingress controller throws error 503 Service Unavailable
How to list all the pods running in a particular worker node by executing a command from master?

1 Answer

5/25/2020

While it's non trivial to give this permission to service accounts only in namespaces created by gitlab you can assign this permission to all service accounts across all the namespaces in the cluster using below.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: service_cluster_monitor_reader
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
  resources: ["servicemonitors"]
  verbs: ["get", "create", "update", "patch", "delete"]

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-monitor-binding
subjects:
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: service_cluster_monitor_reader
  apiGroup: rbac.authorization.k8s.io

Validate the permission by

kubectl auth can-i get servicemonitors --as=system:serviceaccount:ABC_NAMESPACE:ABC-dev-service-account -n ABC_NAMESPACE
-- Arghya Sadhu
Source: StackOverflow