Merge branch 'add_role_and_rolebinding_for_cilium_network_policies' into 'master'

Add Role and Rolebinding for CiliumNetworkPolicies

See merge request gitlab-org/gitlab!54130

app/services/clusters/kubernetes.rb

@@ -14,5 +14,7 @@ module Clusters
     GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME = 'gitlab-crossplane-database-rolebinding'
     KNATIVE_SERVING_NAMESPACE = 'knative-serving'
     ISTIO_SYSTEM_NAMESPACE = 'istio-system'
+    GITLAB_CILIUM_ROLE_NAME = 'gitlab-cilium-role'
+    GITLAB_CILIUM_ROLE_BINDING_NAME = 'gitlab-cilium-rolebinding'
   end
 end

app/services/clusters/kubernetes/create_or_update_service_account_service.rb

@@ -53,6 +53,8 @@ module Clusters
         create_or_update_knative_serving_role_binding
         create_or_update_crossplane_database_role
         create_or_update_crossplane_database_role_binding
+        create_or_update_cilium_role
+        create_or_update_cilium_role_binding
       end
 
       private
@@ -97,6 +99,14 @@ module Clusters
         kubeclient.update_role_binding(crossplane_database_role_binding_resource)
       end
 
+      def create_or_update_cilium_role
+        kubeclient.update_role(cilium_role_resource)
+      end
+
+      def create_or_update_cilium_role_binding
+        kubeclient.update_role_binding(cilium_role_binding_resource)
+      end
+
       def service_account_resource
         Gitlab::Kubernetes::ServiceAccount.new(
           service_account_name,
@@ -175,6 +185,28 @@ module Clusters
           service_account_name: service_account_name
         ).generate
       end
+
+      def cilium_role_resource
+        Gitlab::Kubernetes::Role.new(
+          name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME,
+          namespace: service_account_namespace,
+          rules: [{
+            apiGroups: %w(cilium.io),
+            resources: %w(ciliumnetworkpolicies),
+            verbs: %w(get list create update patch)
+          }]
+        ).generate
+      end
+
+      def cilium_role_binding_resource
+        Gitlab::Kubernetes::RoleBinding.new(
+          name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME,
+          role_name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME,
+          role_kind: :Role,
+          namespace: service_account_namespace,
+          service_account_name: service_account_name
+        ).generate
+      end
     end
   end
 end

changelogs/unreleased/add_role_and_rolebinding_for_cilium_network_policies.yml

+---
+title: Add Role and Rolebinding for CiliumNetworkPolicies
+merge_request: 54130
+author:
+type: changed

spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb

@@ -39,6 +39,8 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute'
     stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
     stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME, namespace: namespace)
     stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME, namespace: namespace)
+    stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME, namespace: namespace)
+    stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME, namespace: namespace)
 
     stub_kubeclient_get_secret(
       api_url,

spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb

@@ -147,6 +147,8 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
         stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
         stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME, namespace: namespace)
         stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME, namespace: namespace)
+        stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME, namespace: namespace)
+        stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME, namespace: namespace)
       end
 
       it 'creates a namespace object' do
@@ -243,6 +245,47 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
           )
         )
       end
+
+      it 'creates a role granting cilium permissions to the service account' do
+        subject
+
+        expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/roles/#{Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME}").with(
+          body: hash_including(
+            metadata: {
+              name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME,
+              namespace: namespace
+            },
+            rules: [{
+              apiGroups: %w(cilium.io),
+              resources: %w(ciliumnetworkpolicies),
+              verbs: %w(get list create update patch)
+            }]
+          )
+        )
+      end
+
+      it 'creates a role binding granting cilium permissions to the service account' do
+        subject
+
+        expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME}").with(
+          body: hash_including(
+            metadata: {
+              name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME,
+              namespace: namespace
+            },
+            roleRef: {
+              apiGroup: 'rbac.authorization.k8s.io',
+              kind: 'Role',
+              name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME
+            },
+            subjects: [{
+              kind: 'ServiceAccount',
+              name: service_account_name,
+              namespace: namespace
+            }]
+          )
+        )
+      end
     end
   end
 end