kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Document how to create service account with admin

Browse source
This commit is contained in:
Thong Kuah 2018-11-29 22:52:30 +00:00 committed by Evan Read
parent eb22c2b7ab
commit cbfd30d928
1 changed files with 44 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
doc/user/project/clusters/index.md
View file

@ -92,13 +92,47 @@ To add an existing Kubernetes cluster to your project:
the `ca.crt` contents here. the `ca.crt` contents here.
- **Token** - - **Token** -
GitLab authenticates against Kubernetes using service tokens, which are GitLab authenticates against Kubernetes using service tokens, which are
scoped to a particular `namespace`. If you don't have a service token yet, scoped to a particular `namespace`.
you can follow the **The token used should belong to a service account with
[Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
to create one. You can also view or create service tokens in the privileges.** To create this service account:
[Kubernetes dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/)
(under **Config > Secrets**). **The account that will issue the service token 1. Create a `gitlab` service account in the `default` namespace:
must have admin privileges on the cluster.**
```bash
kubectl create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab
namespace: default
EOF
```
1. Create a cluster role binding to give the `gitlab` service account
`cluster-admin` privileges:
```bash
kubectl create -f - <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gitlab-cluster-admin
subjects:
- kind: ServiceAccount
name: gitlab
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
EOF
```
NOTE: **Note:**
For GKE clusters, you will need the
`container.clusterRoleBindings.create` permission to create a cluster
role binding. You can follow the [Google Cloud
documentation](https://cloud.google.com/iam/docs/granting-changing-revoking-access)
to grant access.
- **Project namespace** (optional) - You don't have to fill it in; by leaving - **Project namespace** (optional) - You don't have to fill it in; by leaving
it blank, GitLab will create one for you. Also: it blank, GitLab will create one for you. Also:
- Each project should have a unique namespace. - Each project should have a unique namespace.
@ -142,8 +176,9 @@ Whether ABAC or RBAC is enabled, GitLab will create the necessary
service accounts and privileges in order to install and run service accounts and privileges in order to install and run
[GitLab managed applications](#installing-applications): [GitLab managed applications](#installing-applications):
- A `gitlab` service account with `cluster-admin` privileges will be created in the - If GitLab is creating the cluster, a `gitlab` service account with
`default` namespace, which will be used by GitLab to manage the newly created cluster. `cluster-admin` privileges will be created in the `default` namespace,
which will be used by GitLab to manage the newly created cluster.
- A project service account with [`edit` - A project service account with [`edit`
privileges](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) privileges](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)