Switch to admin roleRef for GitLab-managed rolebindings

This removes the kubernetes_cluster_namespace_role_admin feature flag

Document this as well

app/services/clusters/kubernetes.rb

@@ -7,7 +7,7 @@ module Clusters
     GITLAB_ADMIN_TOKEN_NAME = 'gitlab-token'
     GITLAB_CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin'
     GITLAB_CLUSTER_ROLE_NAME = 'cluster-admin'
-    PROJECT_CLUSTER_ROLE_NAME = 'edit'
+    PROJECT_CLUSTER_ROLE_NAME = 'admin'
     GITLAB_KNATIVE_SERVING_ROLE_NAME = 'gitlab-knative-serving-role'
     GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME = 'gitlab-knative-serving-rolebinding'
     GITLAB_CROSSPLANE_DATABASE_ROLE_NAME = 'gitlab-crossplane-database-role'

app/services/clusters/kubernetes/create_or_update_service_account_service.rb

@@ -123,11 +123,9 @@ module Clusters
       end
 
       def role_binding_resource
-        role_name = Feature.enabled?(:kubernetes_cluster_namespace_role_admin) ? 'admin' : Clusters::Kubernetes::PROJECT_CLUSTER_ROLE_NAME
-
         Gitlab::Kubernetes::RoleBinding.new(
           name: role_binding_name,
-          role_name: role_name,
+          role_name: Clusters::Kubernetes::PROJECT_CLUSTER_ROLE_NAME,
           role_kind: :ClusterRole,
           namespace: service_account_namespace,
           service_account_name: service_account_name

changelogs/unreleased/kubernetes_cluster_namespace_role_admin_role_ref.yml

+---
+title: Switch to admin clusterRole for GitLab created environment Kubernetes service
+  account
+merge_request: 46417
+author:
+type: changed

config/feature_flags/development/kubernetes_cluster_namespace_role_admin.yml

----
-name: kubernetes_cluster_namespace_role_admin
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45479
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/270030
-type: development
-group: group::configure
-default_enabled: false

doc/user/project/clusters/add_remove_clusters.md

@@ -94,7 +94,11 @@ GitLab creates the following resources for RBAC clusters.
 | Environment namespace | `Namespace`          | Contains all environment-specific resources                                                                | Deploying to a cluster |
 | Environment namespace | `ServiceAccount`     | Uses namespace of environment                                                                              | Deploying to a cluster |
 | Environment namespace | `Secret`             | Token for environment ServiceAccount                                                                       | Deploying to a cluster |
-| Environment namespace | `RoleBinding`        | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef          | Deploying to a cluster |
+| Environment namespace | `RoleBinding`        | [`admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef         | Deploying to a cluster |
+
+The environment namespace `RoleBinding` was
+[updated](https://gitlab.com/gitlab-org/gitlab/-/issues/31113) in GitLab 13.6
+to `admin` roleRef. Previously, the `edit` roleRef was used.
 
 ### ABAC cluster resources
 

spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb

@@ -161,60 +161,26 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
 
       it_behaves_like 'creates service account and token'
 
-      context 'kubernetes_cluster_namespace_role_admin FF is enabled' do
-        before do
-          stub_feature_flags(kubernetes_cluster_namespace_role_admin: true)
-        end
-
-        it 'creates a namespaced role binding with admin access' do
-          subject
-
-          expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{role_binding_name}").with(
-            body: hash_including(
-              metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" },
-              roleRef: {
-                apiGroup: 'rbac.authorization.k8s.io',
-                kind: 'ClusterRole',
-                name: 'admin'
-              },
-              subjects: [
-                {
-                  kind: 'ServiceAccount',
-                  name: service_account_name,
-                  namespace: namespace
-                }
-              ]
-            )
-          )
-        end
-      end
+      it 'creates a namespaced role binding with admin access' do
+        subject
 
-      context 'kubernetes_cluster_namespace_role_admin FF is disabled' do
-        before do
-          stub_feature_flags(kubernetes_cluster_namespace_role_admin: false)
-        end
-
-        it 'creates a namespaced role binding with edit access' do
-          subject
-
-          expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{role_binding_name}").with(
-            body: hash_including(
-              metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" },
-              roleRef: {
-                apiGroup: 'rbac.authorization.k8s.io',
-                kind: 'ClusterRole',
-                name: 'edit'
-              },
-              subjects: [
-                {
-                  kind: 'ServiceAccount',
-                  name: service_account_name,
-                  namespace: namespace
-                }
-              ]
-            )
+        expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{role_binding_name}").with(
+          body: hash_including(
+            metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" },
+            roleRef: {
+              apiGroup: 'rbac.authorization.k8s.io',
+              kind: 'ClusterRole',
+              name: 'admin'
+            },
+            subjects: [
+              {
+                kind: 'ServiceAccount',
+                name: service_account_name,
+                namespace: namespace
+              }
+            ]
           )
-        end
+        )
       end
 
       it 'creates a role binding granting crossplane database permissions to the service account' do