Switch to using admin for project rolebindings

Gated behind a disbled feature flag intially This enables CI to create roles and rolebindings within that namespace.

Switch to using admin for project rolebindings
Gated behind a disbled feature flag intially This enables CI to create roles and rolebindings within that namespace.
040e5356 · Thong Kuah · 91bf399d · 040e5356 · 040e5356 · 040e5356
Commit 040e5356 authored Oct 19, 2020 by Thong Kuah
3 changed files
--- a/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
+++ b/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
@@ -117,9 +117,11 @@ module Clusters
      end
      def role_binding_resource
+        role_name = Feature.enabled?(:kubernetes_cluster_namespace_role_admin) ? 'admin' : Clusters::Kubernetes::PROJECT_CLUSTER_ROLE_NAME
        Gitlab::Kubernetes::RoleBinding.new(
          name: role_binding_name,
-          role_name: Clusters::Kubernetes::PROJECT_CLUSTER_ROLE_NAME,
+          role_name: role_name,
          role_kind: :ClusterRole,
          namespace: service_account_namespace,
          service_account_name: service_account_name

--- a/config/feature_flags/development/kubernetes_cluster_namespace_role_admin.yml
+++ b/config/feature_flags/development/kubernetes_cluster_namespace_role_admin.yml
+---
+name: kubernetes_cluster_namespace_role_admin
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45479
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/270030
+type: development
+group: group::configure
+default_enabled: false
--- a/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
+++ b/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
@@ -160,26 +160,60 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
      it_behaves_like 'creates service account and token'
-      it 'creates a namespaced role binding with edit access' do
+      context 'kubernetes_cluster_namespace_role_admin FF is enabled' do
-        subject
+        before do
+          stub_feature_flags(kubernetes_cluster_namespace_role_admin: true)
+        end
+        it 'creates a namespaced role binding with admin access' do
+          subject
+          expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{role_binding_name}").with(
+            body: hash_including(
+              metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" },
+              roleRef: {
+                apiGroup: 'rbac.authorization.k8s.io',
+                kind: 'ClusterRole',
+                name: 'admin'
+              },
+              subjects: [
+                {
+                  kind: 'ServiceAccount',
+                  name: service_account_name,
+                  namespace: namespace
+                }
+              ]
+            )
+          )
+        end
+      end
-        expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{role_binding_name}").with(
+      context 'kubernetes_cluster_namespace_role_admin FF is disabled' do
-          body: hash_including(
+        before do
-            metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" },
+          stub_feature_flags(kubernetes_cluster_namespace_role_admin: false)
-            roleRef: {
+        end
-              apiGroup: 'rbac.authorization.k8s.io',
-              kind: 'ClusterRole',
+        it 'creates a namespaced role binding with edit access' do
-              name: 'edit'
+          subject
-            },
-            subjects: [
+          expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{role_binding_name}").with(
-              {
+            body: hash_including(
-                kind: 'ServiceAccount',
+              metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" },
-                name: service_account_name,
+              roleRef: {
-                namespace: namespace
+                apiGroup: 'rbac.authorization.k8s.io',
-              }
+                kind: 'ClusterRole',
-            ]
+                name: 'edit'
+              },
+              subjects: [
+                {
+                  kind: 'ServiceAccount',
+                  name: service_account_name,
+                  namespace: namespace
+                }
+              ]
+            )
          )
-        )
+        end
      end
      it 'creates a role binding granting crossplane database permissions to the service account' do