Add Role and Rolebinding for CiliumNetworkPolicies

as part of cilium.io. This is going to be used by
AutoDevOps as an option for users to install those
network policies from there.

app/services/clusters/kubernetes.rb

@@ -14,5 +14,7 @@ module Clusters
     GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME = 'gitlab-crossplane-database-rolebinding'
     KNATIVE_SERVING_NAMESPACE = 'knative-serving'
     ISTIO_SYSTEM_NAMESPACE = 'istio-system'
+    GITLAB_CILIUM_ROLE_NAME = 'gitlab-cilium-role'
+    GITLAB_CILIUM_ROLE_BINDING_NAME = 'gitlab-cilium-rolebinding'
   end
 end

app/services/clusters/kubernetes/create_or_update_service_account_service.rb

@@ -53,6 +53,8 @@ module Clusters
         create_or_update_knative_serving_role_binding
         create_or_update_crossplane_database_role
         create_or_update_crossplane_database_role_binding
+        create_or_update_cilium_role
+        create_or_update_cilium_role_binding
       end
 
       private
@@ -97,6 +99,14 @@ module Clusters
         kubeclient.update_role_binding(crossplane_database_role_binding_resource)
       end
 
+      def create_or_update_cilium_role
+        kubeclient.update_role(cilium_role_resource)
+      end
+
+      def create_or_update_cilium_role_binding
+        kubeclient.update_role_binding(cilium_role_binding_resource)
+      end
+
       def service_account_resource
         Gitlab::Kubernetes::ServiceAccount.new(
           service_account_name,
@@ -175,6 +185,28 @@ module Clusters
           service_account_name: service_account_name
         ).generate
       end
+
+      def cilium_role_resource
+        Gitlab::Kubernetes::Role.new(
+          name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME,
+          namespace: service_account_namespace,
+          rules: [{
+            apiGroups: %w(cilium.io),
+            resources: %w(ciliumnetworkpolicies),
+            verbs: %w(get list create update patch)
+          }]
+        ).generate
+      end
+
+      def cilium_role_binding_resource
+        Gitlab::Kubernetes::RoleBinding.new(
+          name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME,
+          role_name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME,
+          role_kind: :Role,
+          namespace: service_account_namespace,
+          service_account_name: service_account_name
+        ).generate
+      end
     end
   end
 end

changelogs/unreleased/add_role_and_rolebinding_for_cilium_network_policies.yml

+---
+title: Add Role and Rolebinding for CiliumNetworkPolicies
+merge_request: 54130
+author:
+type: changed

spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb

@@ -39,6 +39,8 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute'
     stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
     stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME, namespace: namespace)
     stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME, namespace: namespace)
+    stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME, namespace: namespace)
+    stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME, namespace: namespace)
 
     stub_kubeclient_get_secret(
       api_url,

spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb

@@ -147,6 +147,8 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
         stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
         stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME, namespace: namespace)
         stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME, namespace: namespace)
+        stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME, namespace: namespace)
+        stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME, namespace: namespace)
       end
 
       it 'creates a namespace object' do
@@ -243,6 +245,47 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
           )
         )
       end
+
+      it 'creates a role granting cilium permissions to the service account' do
+        subject
+
+        expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/roles/#{Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME}").with(
+          body: hash_including(
+            metadata: {
+              name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME,
+              namespace: namespace
+            },
+            rules: [{
+              apiGroups: %w(cilium.io),
+              resources: %w(ciliumnetworkpolicies),
+              verbs: %w(get list create update patch)
+            }]
+          )
+        )
+      end
+
+      it 'creates a role binding granting cilium permissions to the service account' do
+        subject
+
+        expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME}").with(
+          body: hash_including(
+            metadata: {
+              name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME,
+              namespace: namespace
+            },
+            roleRef: {
+              apiGroup: 'rbac.authorization.k8s.io',
+              kind: 'Role',
+              name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME
+            },
+            subjects: [{
+              kind: 'ServiceAccount',
+              name: service_account_name,
+              namespace: namespace
+            }]
+          )
+        )
+      end
     end
   end
 end