Switch to admin roleRef for GitLab-managed rolebindings

This removes the kubernetes_cluster_namespace_role_admin feature flag Document this as well

Switch to admin roleRef for GitLab-managed rolebindings
This removes the kubernetes_cluster_namespace_role_admin feature flag Document this as well
345a1291 · Thong Kuah · 75cd9448 · 345a1291 · 345a1291 · 345a1291
Commit 345a1291 authored Oct 29, 2020 by Thong Kuah
6 changed files
--- a/app/services/clusters/kubernetes.rb
+++ b/app/services/clusters/kubernetes.rb
@@ -7,7 +7,7 @@ module Clusters
    GITLAB_ADMIN_TOKEN_NAME = 'gitlab-token'
    GITLAB_CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin'
    GITLAB_CLUSTER_ROLE_NAME = 'cluster-admin'
-    PROJECT_CLUSTER_ROLE_NAME = 'edit'
+    PROJECT_CLUSTER_ROLE_NAME = 'admin'
    GITLAB_KNATIVE_SERVING_ROLE_NAME = 'gitlab-knative-serving-role'
    GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME = 'gitlab-knative-serving-rolebinding'
    GITLAB_CROSSPLANE_DATABASE_ROLE_NAME = 'gitlab-crossplane-database-role'

--- a/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
+++ b/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
@@ -123,11 +123,9 @@ module Clusters
      end

      def role_binding_resource
-        role_name = Feature.enabled?(:kubernetes_cluster_namespace_role_admin) ? 'admin' : Clusters::Kubernetes::PROJECT_CLUSTER_ROLE_NAME
-
        Gitlab::Kubernetes::RoleBinding.new(
          name: role_binding_name,
-          role_name: role_name,
+          role_name: Clusters::Kubernetes::PROJECT_CLUSTER_ROLE_NAME,
          role_kind: :ClusterRole,
          namespace: service_account_namespace,
          service_account_name: service_account_name

--- a/changelogs/unreleased/kubernetes_cluster_namespace_role_admin_role_ref.yml
+++ b/changelogs/unreleased/kubernetes_cluster_namespace_role_admin_role_ref.yml
+---
+title: Switch to admin clusterRole for GitLab created environment Kubernetes service
+  account
+merge_request: 46417
+author:
+type: changed
--- a/config/feature_flags/development/kubernetes_cluster_namespace_role_admin.yml
+++ b/config/feature_flags/development/kubernetes_cluster_namespace_role_admin.yml
---
-name: kubernetes_cluster_namespace_role_admin
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45479
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/270030
-type: development
-group: group::configure
-default_enabled: false
--- a/doc/user/project/clusters/add_remove_clusters.md
+++ b/doc/user/project/clusters/add_remove_clusters.md
@@ -94,7 +94,11 @@ GitLab creates the following resources for RBAC clusters.
 | Environment namespace | `Namespace`          | Contains all environment-specific resources                                                                | Deploying to a cluster |
 | Environment namespace | `ServiceAccount`     | Uses namespace of environment                                                                              | Deploying to a cluster |
 | Environment namespace | `Secret`             | Token for environment ServiceAccount                                                                       | Deploying to a cluster |
-| Environment namespace | `RoleBinding`        | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef          | Deploying to a cluster |
+| Environment namespace | `RoleBinding`        | [`admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef         | Deploying to a cluster |
+
+The environment namespace `RoleBinding` was
+[updated](https://gitlab.com/gitlab-org/gitlab/-/issues/31113) in GitLab 13.6
+to `admin` roleRef. Previously, the `edit` roleRef was used.

 ### ABAC cluster resources


--- a/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
+++ b/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
@@ -161,60 +161,26 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do

      it_behaves_like 'creates service account and token'

-      context 'kubernetes_cluster_namespace_role_admin FF is enabled' do
-        before do
-          stub_feature_flags(kubernetes_cluster_namespace_role_admin: true)
-        end
-
-        it 'creates a namespaced role binding with admin access' do
-          subject
-
-          expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{role_binding_name}").with(
-            body: hash_including(
-              metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" },
-              roleRef: {
-                apiGroup: 'rbac.authorization.k8s.io',
-                kind: 'ClusterRole',
-                name: 'admin'
-              },
-              subjects: [
-                {
-                  kind: 'ServiceAccount',
-                  name: service_account_name,
-                  namespace: namespace
-                }
-              ]
-            )
-          )
-        end
-      end
+      it 'creates a namespaced role binding with admin access' do
+        subject

-      context 'kubernetes_cluster_namespace_role_admin FF is disabled' do
-        before do
-          stub_feature_flags(kubernetes_cluster_namespace_role_admin: false)
-        end
-
-        it 'creates a namespaced role binding with edit access' do
-          subject
-
-          expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{role_binding_name}").with(
-            body: hash_including(
-              metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" },
-              roleRef: {
-                apiGroup: 'rbac.authorization.k8s.io',
-                kind: 'ClusterRole',
-                name: 'edit'
-              },
-              subjects: [
-                {
-                  kind: 'ServiceAccount',
-                  name: service_account_name,
-                  namespace: namespace
-                }
-              ]
-            )
+        expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{role_binding_name}").with(
+          body: hash_including(
+            metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" },
+            roleRef: {
+              apiGroup: 'rbac.authorization.k8s.io',
+              kind: 'ClusterRole',
+              name: 'admin'
+            },
+            subjects: [
+              {
+                kind: 'ServiceAccount',
+                name: service_account_name,
+                namespace: namespace
+              }
+            ]
          )
-        end
+        )
      end

      it 'creates a role binding granting crossplane database permissions to the service account' do