GitLab Kubernetes Integration with RBAC enabled

Written by Pim on Tuesday July 31, 2018 - Comment - Permalink
Tags: kubernetes, gitlab, rbac, security

Caution: The configurations in this blog post adds cluster administrative access to your GitLab server. Unfortunately, GitLab 11 needs this access to query the cluster and install applications on it.

Create the gitlab-managed-apps namespace

GitLab uses the gitlab-managed-apps namespace as its default namespace.

$ kubectl create ns gitlab-managed-apps

Add a service account

We're going to use a service account to let GitLab authenticate with our cluster. We're creating this service account in the gitlab-managed-apps namespace.

$ kubectl -n gitlab-managed-apps create serviceaccount gitlab

Add Cluster and ClusterRole bindings

The configuration below binds the cluster-admin ClusterRole to the gitlab service account and the "kubernetes" user (used by GitLab, probably hardcoded somewhere?).

$ cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gitlab-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: gitlab
  namespace: gitlab-managed-apps
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kubernetes
EOF

Create a role binding in the gitlab-managed-apps namespace

The configuration below binds the admin ClusterRole to the gitlab service account and the default service account in the gitlab-managed-apps namespace.

$ cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gitlab-binding
  namespace: gitlab-managed-apps
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- kind: ServiceAccount
  name: gitlab
  namespace: gitlab-managed-apps
- kind: ServiceAccount
  name: default
  namespace: gitlab-managed-apps
EOF

Get the token from the service account

GitLab needs a token to authenticate with your Kubernetes cluster. Kubernetes already generated a token when you added the service account and stored it into a secret.

$ kubectl -n gitlab-managed-apps describe serviceaccount gitlab

Copy the secret name and use it to retrieve the token.

$ kubectl -n gitlab-managed-apps get secret <secret name>

Configure GitLab

As documented on the GitLab website.

Done :)

Now it's possible to install GitLab applications on your RBAC enabled Kubernetes cluster!