├── .github └── workflows │ └── ruff.yml ├── .pre-commit-config.yaml ├── Dockerfile ├── LICENSE ├── README.md ├── deploy ├── configuration.yaml └── gitlab2rbac.yaml ├── docs └── matrix.md ├── gitlab2rbac.py ├── gitlab2rbac ├── .helmignore ├── Chart.yaml ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── configmap.yaml │ ├── deployment.yaml │ └── serviceaccount.yaml └── values.yaml ├── graph.png ├── pyproject.toml └── requirements.txt /.github/workflows/ruff.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | on: push 3 | jobs: 4 | build: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - uses: actions/checkout@v4 8 | - name: Install Python 9 | uses: actions/setup-python@v5 10 | with: 11 | python-version: "3.11" 12 | - name: Install dependencies 13 | run: | 14 | python -m pip install --upgrade pip 15 | pip install ruff 16 | - name: Run Ruff 17 | run: ruff check --output-format=github . 18 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | default_language_version: 2 | python: python3.7 3 | default_install_hook_types: [commit-msg] 4 | repos: 5 | - repo: https://github.com/commitizen-tools/commitizen 6 | rev: v2.42.1 7 | hooks: 8 | - id: commitizen 9 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.12-slim 2 | 3 | COPY requirements.txt /requirements.txt 4 | RUN pip install -r /requirements.txt 5 | 6 | RUN groupadd --gid 1000 appuser \ 7 | && useradd --uid 1000 --gid appuser --shell /bin/bash --create-home appuser 8 | 9 | USER appuser 10 | RUN mkdir -p ~/.kube 11 | COPY gitlab2rbac.py . 12 | 13 | ENTRYPOINT python gitlab2rbac.py 14 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2019 numberly 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of 6 | this software and associated documentation files (the "Software"), to deal in 7 | the Software without restriction, including without limitation the rights to 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software is furnished to do so, 10 | subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # gitlab2rbac 2 | `gitlab2rbac` synchronizes Kubernetes cluster user permissions with those defined in GitLab, ensuring consistent access controls across both platforms. 3 | 4 | This tool takes [GitLab Permissions](https://docs.gitlab.com/ee/user/permissions.html) on a project level and generates corresponding [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) objects within Kubernetes. 5 | 6 | ![graph](graph.png) 7 | 8 | ## Installation 9 | ### Requirements 10 | Before anything else, `gitlab2rbac` requires: 11 | 12 | * [RBAC is enabled on your Kubernetes cluster](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) 13 | * [GitLab API v4 support is available](https://docs.gitlab.com/ee/api/rest/) 14 | 15 | ### Deploy with helm 16 | 17 | ``` 18 | helm install gitlab2rbac /path/to/chart/gitla2rbac --create-namespace gitlab2rbac --set data.GITLAB_URL=,data.GITLAB_PRIVATE_TOKEN=,data.KUBERNETES_LOAD_INCLUSTER_CONFIG=True 19 | ``` 20 | 21 | or 22 | 23 | ### Configuration 24 | `gitlab2rbac` requires a namespace, cluster roles and cluster role bindings. You can create these by executing: 25 | 26 | ```sh 27 | $ kubectl apply -f https://raw.githubusercontent.com/numberly/gitlab2rbac/master/deploy/configuration.yaml 28 | ``` 29 | 30 | Next, create a [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/) containing the necessary configuration: 31 | 32 | ```sh 33 | cat <