Version 1.1.0 is the last stable version. gitlab2rbac is used in production with kubernetes version 1.27.
gitlab2rbac ensures that your Kubernetes cluster users have the same permissions than on GitLab.
It takes GitLab Permissions by project as input and generates RBAC objects inside Kubernetes.
Before anything else, gitlab2rbac requires:
helm install gitlab2rbac /path/to/chart/gitla2rbac --create-namespace gitlab2rbac --set data.GITLAB_URL=<your_gitlab_instance_url>,data.GITLAB_PRIVATE_TOKEN=<your_private_token>,data.KUBERNETES_LOAD_INCLUSTER_CONFIG=True
or
gitlab2rbac needs a namespace, cluster roles and cluster role bindings. Create them with:
$ kubectl apply -f https://raw.githubusercontent.com/numberly/gitlab2rbac/master/deploy/configuration.yamlYou will then need to create a ConfigMap that contains all the useful information for gitlab2rbac:
cat <<EOF | kubectl create -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: gitlab2rbac
namespace: gitlab2rbac
data:
GITLAB_URL: https://{{ your GitLab instance URL }}
GITLAB_PRIVATE_TOKEN: {{ your GitLab private token }}
KUBERNETES_LOAD_INCLUSTER_CONFIG: "True"
EOFFinally, just apply the manifest:
$ kubectl apply -f https://raw.githubusercontent.com/numberly/gitlab2rbac/master/deploy/gitlab2rbac.yamlThis will deploy gitlab2rbac to your cluster, under the gitlab2rbac namespace. The components in the manifest are:
- the deployment, which is the cluster-wide controller that handles RBAC policies
- the service account and the RBAC permissions that the controller needs to function
- A kube environment, you can set up a minikube
- Python 3 (should also work with Python 2 but it's not supported)
- Virtualenv (recommended)
Even if gitlab2rbac doesn't run inside Kubernetes, it needs a cluster with existing cluster roles. Create them with:
$ kubectl apply -f https://raw.githubusercontent.com/numberly/gitlab2rbac/master/deploy/configuration.yamlThen you can clone the repository, install the dependencies and run gitlab2rbac:
$ git clone https://github.com/numberly/gitlab2rbac.git
$ cd gitlab2rbac
$ virtualenv .venv && source .venv/bin/activate
(.venv) $ pip install -r requirements.txt
(.venv) $ GITLAB_URL={{ your GitLab instance URL }} GITLAB_PRIVATE_TOKEN={{ your GitLab private token }} python gitlab2rbac.py| Role | Use cases | Typical examples |
|---|---|---|
| Guest | Inspiration | Someone from another team |
| Reporter | Complete overview, tests | Project manager, marketing |
| Developer | Deployment, debug | Engineer, technical project manager |
| Maintainer | Sensitive configurations | Lead/senior engineer |
What we mean by R and W is defined by Kubernetes API verbs:
- Read (
R):get,list,watch - Write (
W):create,update,patch,delete,deletecollection
Any authenticated user has access to those cluster-wide resources:
- apiservices
- componentstatuses (deprecated in v1.19+)
- namespaces
- nodes
Any admin on GitLab is an admin of the Kubernetes cluster.
| Resource | Guest | Reporter | Developer | Maintainer |
|---|---|---|---|---|
| cronjobs | R | R | R+W | R+W |
| daemonsets | R | R | R+W | R+W |
| deployments | R | R | R+W | R+W |
| horizontalpodautoscalers | R | R | R+W | R+W |
| ingresses | R | R | R+W | R+W |
| jobs | R | R | R+W | R+W |
| pods | R | R | R+W | R+W |
| replicasets | R | R | R+W | R+W |
| replicationcontrollers | R | R | R+W | R+W |
| services | R | R | R+W | R+W |
| statefulsets | R | R | R+W | R+W |
| verticalpodautoscalers | R | R | R+W | R+W |
| events | R | R | R+W |
| Resource | Guest | Reporter | Developer | Maintainer |
|---|---|---|---|---|
| pods/log | R+W | R+W | R+W | |
| pods/portforward | R+W | R+W | R+W | |
| deployments/rollback | R+W | R+W | ||
| deployments/scale | R+W | R+W | ||
| pods/attach | R+W | R+W | ||
| pods/exec | R+W | R+W | ||
| replicasets/scale | R+W | R+W | ||
| replicationcontrollers/scale | R+W | R+W | ||
| statefulsets/scale | R+W | R+W |
| Resource | Guest | Reporter | Developer | Maintainer |
|---|---|---|---|---|
| configmaps | R | R | R+W | R+W |
| endpoints | R | R | R+W | R+W |
| networkpolicies | R | R | R+W | R+W |
| persistentvolumeclaims | R | R | R+W | R+W |
| persistentvolumeclaims/status | R | R | R+W | R+W |
| poddisruptionbudgets | R | R | R+W | R+W |
| poddisruptionbudgets/status | R | R | R+W | R+W |
| serviceaccounts | R | R | R+W | R+W |
| certificates | R+W | R+W | ||
| secrets | R+W | R+W | ||
| limitranges | R | R+W | ||
| resourcequotas | R | R+W | ||
| rolebindings | R | R+W | ||
| roles | R | R+W |
gitlab2rbac supports multiple environment variables for advanced configuration:
| Flag | Description | Default |
|---|---|---|
GITLAB2RBAC_FREQUENCY |
Update interval in seconds. | 60 |
GITLAB_ADMINS_GROUP |
Base your k8s admins on GitLab namespace (None means GitLab administrators). | None |
GITLAB_GROUPS_SEARCH |
Limit to those groups (separated by commas, empty means all groups). | gitlab2rbac |
GITLAB_NAMESPACE_GRANULARITY |
Whether to get permissions from GitLab projects or groups. | project |
GITLAB_PRIVATE_TOKEN |
Configure gitlab API token. | |
GITLAB_TIMEOUT |
Timeout for GitLab operations, in seconds. | 10 |
GITLAB_URL |
Configure gitlab API target. | |
KUBERNETES_AUTO_CREATE |
Replicate GitLab groups/projects as Kubernetes namespaces. | False |
KUBERNETES_LOAD_INCLUSTER_CONFIG |
Load configuration inside Kubernetes when gitlab2rbac runs as a pod. | False |
KUBERNETES_TIMEOUT |
Timeout for Kubernetes operations, in seconds. | 10 |
MIT