├── .github
    └── workflows
    │   └── ruff.yml
├── .pre-commit-config.yaml
├── Dockerfile
├── LICENSE
├── README.md
├── deploy
    ├── configuration.yaml
    └── gitlab2rbac.yaml
├── docs
    └── matrix.md
├── gitlab2rbac.py
├── gitlab2rbac
    ├── .helmignore
    ├── Chart.yaml
    ├── templates
    │   ├── NOTES.txt
    │   ├── _helpers.tpl
    │   ├── clusterrole.yaml
    │   ├── clusterrolebinding.yaml
    │   ├── configmap.yaml
    │   ├── deployment.yaml
    │   └── serviceaccount.yaml
    └── values.yaml
├── graph.png
├── pyproject.toml
└── requirements.txt


/.github/workflows/ruff.yml:
--------------------------------------------------------------------------------
 1 | name: CI
 2 | on: push
 3 | jobs:
 4 |   build:
 5 |     runs-on: ubuntu-latest
 6 |     steps:
 7 |       - uses: actions/checkout@v4
 8 |       - name: Install Python
 9 |         uses: actions/setup-python@v5
10 |         with:
11 |           python-version: "3.11"
12 |       - name: Install dependencies
13 |         run: |
14 |           python -m pip install --upgrade pip
15 |           pip install ruff
16 |       - name: Run Ruff
17 |         run: ruff check --output-format=github .
18 | 


--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | default_language_version:
2 |   python: python3.7
3 | default_install_hook_types: [commit-msg]
4 | repos:
5 |   - repo: https://github.com/commitizen-tools/commitizen
6 |     rev: v2.42.1
7 |     hooks:
8 |       - id: commitizen
9 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.12-slim
 2 | 
 3 | COPY requirements.txt /requirements.txt
 4 | RUN pip install -r /requirements.txt
 5 | 
 6 | RUN groupadd --gid 1000 appuser \
 7 |     && useradd --uid 1000 --gid appuser --shell /bin/bash --create-home appuser
 8 | 
 9 | USER appuser
10 | RUN mkdir -p ~/.kube
11 | COPY gitlab2rbac.py .
12 | 
13 | ENTRYPOINT python gitlab2rbac.py
14 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2019 numberly
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of
 6 | this software and associated documentation files (the "Software"), to deal in
 7 | the Software without restriction, including without limitation the rights to
 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 9 | the Software, and to permit persons to whom the Software is furnished to do so,
10 | subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # gitlab2rbac
  2 | `gitlab2rbac` synchronizes Kubernetes cluster user permissions with those defined in GitLab, ensuring consistent access controls across both platforms.
  3 | 
  4 | This tool takes [GitLab Permissions](https://docs.gitlab.com/ee/user/permissions.html) on a project level and generates corresponding [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) objects within Kubernetes.
  5 | 
  6 | ![graph](graph.png)
  7 | 
  8 | ## Installation
  9 | ### Requirements
 10 | Before anything else, `gitlab2rbac` requires:
 11 | 
 12 | * [RBAC is enabled on your Kubernetes cluster](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
 13 | * [GitLab API v4 support is available](https://docs.gitlab.com/ee/api/rest/)
 14 | 
 15 | ### Deploy with helm
 16 | 
 17 | ```
 18 | helm install gitlab2rbac /path/to/chart/gitla2rbac --create-namespace gitlab2rbac --set data.GITLAB_URL=<your_gitlab_instance_url>,data.GITLAB_PRIVATE_TOKEN=<your_private_token>,data.KUBERNETES_LOAD_INCLUSTER_CONFIG=True
 19 | ```
 20 | 
 21 | or
 22 | 
 23 | ### Configuration
 24 | `gitlab2rbac` requires a namespace, cluster roles and cluster role bindings. You can create these by executing:
 25 | 
 26 | ```sh
 27 | $ kubectl apply -f https://raw.githubusercontent.com/numberly/gitlab2rbac/master/deploy/configuration.yaml
 28 | ```
 29 | 
 30 | Next, create a [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/) containing the necessary configuration:
 31 | 
 32 | ```sh
 33 | cat <<EOF | kubectl create -f -
 34 | apiVersion: v1
 35 | kind: ConfigMap
 36 | metadata:
 37 |   name: gitlab2rbac
 38 |   namespace: gitlab2rbac
 39 | data:
 40 |   GITLAB_URL: https://{{ your GitLab instance URL }}
 41 |   GITLAB_PRIVATE_TOKEN: {{ your GitLab private token }}
 42 |   KUBERNETES_LOAD_INCLUSTER_CONFIG: "True"
 43 | EOF
 44 | ```
 45 | 
 46 | ### Deployment
 47 | Finally, just apply the manifest:
 48 | 
 49 | ```sh
 50 | $ kubectl apply -f https://raw.githubusercontent.com/numberly/gitlab2rbac/master/deploy/gitlab2rbac.yaml
 51 | ```
 52 | 
 53 | This deployment will run `gitlab2rbac` in the `gitlab2rbac` namespace. The manifest includes:
 54 | 
 55 | * A deployment resource, which acts as the cluster-wide controller for RBAC policies.
 56 | * A service account and associated RBAC permissions required for the controller to operate.
 57 | 
 58 | ## Running locally
 59 | ### Requirements
 60 | To run `gitlab2rbac` locally, you need:
 61 | 
 62 | * A Kubernetes environment, such as one set up with [minikube](https://minikube.sigs.k8s.io/docs/).
 63 | * Python 3 (Python 2 might work but is not supported).
 64 | * Virtualenv (recommended for environment isolation).
 65 | 
 66 | ### Setup
 67 | Even if `gitlab2rbac` doesn't run inside Kubernetes, it needs a cluster with existing cluster roles. Create them with:
 68 | 
 69 | ```sh
 70 | $ kubectl apply -f https://raw.githubusercontent.com/numberly/gitlab2rbac/master/deploy/configuration.yaml
 71 | ```
 72 | 
 73 | Then you can clone the repository, install the dependencies and run `gitlab2rbac`:
 74 | 
 75 | ```sh
 76 | $ git clone https://github.com/numberly/gitlab2rbac.git
 77 | $ cd gitlab2rbac
 78 | $ virtualenv .venv && source .venv/bin/activate
 79 | (.venv) $ pip install -r requirements.txt
 80 | (.venv) $ GITLAB_URL={{ your GitLab instance URL }} GITLAB_PRIVATE_TOKEN={{ your GitLab private token }} python gitlab2rbac.py
 81 | ```
 82 | 
 83 | ## Matrix GitLab role & Kubernetes resources
 84 | **[here](./docs/matrix.md)**
 85 | 
 86 | ## Advanced configuration
 87 | `gitlab2rbac` supports multiple environment variables for advanced configuration:
 88 | 
 89 | | Flag                                | Description                                                                 | Default		|
 90 | |:------------------------------------|:----------------------------------------------------------------------------|:------------------|
 91 | |`GITLAB2RBAC_FREQUENCY`              |Update interval in seconds.                                                  |60			|
 92 | |`GITLAB_ADMINS_GROUP`                |Base your k8s admins on GitLab namespace (None means GitLab administrators). |None		|
 93 | |`GITLAB_GROUPS_IGNORE_LIST`	      |Groups to ignore (separated by commas, default value is "lost-and-found"	    |lost-and-found	|
 94 | |`GITLAB_GROUPS_SEARCH`               |Limit to those groups (separated by commas, empty means all groups).         |gitlab2rbac 	|
 95 | |`GITLAB_NAMESPACE_GRANULARITY`       |Whether to get permissions from GitLab projects or groups.                   |project     	|
 96 | |`GITLAB_PRIVATE_TOKEN`               |Configure gitlab API token.                                                  |            	|
 97 | |`GITLAB_USERNAME_IGNORE_LIST`	      |Gitlab users to ignore for the synchronisation				    |			|
 98 | |`GITLAB_TIMEOUT`                     |Timeout for GitLab operations, in seconds.                                   |10          	|
 99 | |`GITLAB_URL`                         |Configure gitlab API target.                                                 |            	|
100 | |`KUBERNETES_AUTO_CREATE`             |Replicate GitLab groups/projects as Kubernetes namespaces.                   |False       	|
101 | |`KUBERNETES_LOAD_INCLUSTER_CONFIG`   |Load configuration inside Kubernetes when gitlab2rbac runs as a pod.         |False       	|
102 | |`KUBERNETES_TIMEOUT`                 |Timeout for Kubernetes operations, in seconds.                               |10          	|
103 | 
104 | ## Kubernetes cluster compatibility
105 | 
106 | The following table outlines the compatibility between gitlab2rbac versions and Kubernetes cluster versions. Ensure that you are using the correct version of gitlab2rbac for your Kubernetes cluster to maintain stability and functionality.
107 | 
108 | :construction: not tested
109 | 
110 | :green_circle: ok
111 | 
112 | | GitLab2rbac Version   | k8s 1.25 | k8s 1.26 | k8s 1.27 | k8s 1.28 | k8s 1.29 | k8s 1.30 | k8s 1.31 |
113 | |-------------------|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|
114 | | **0.2.4**    |      :green_circle:       |      :green_circle:       |      :green_circle:      |      :green_circle:      |      :construction:       |      :construction:       |      :construction:       |
115 | 
116 | ## License
117 | MIT
118 | 


--------------------------------------------------------------------------------
/deploy/configuration.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | apiVersion: v1
  3 | kind: Namespace
  4 | metadata:
  5 |   name: gitlab2rbac
  6 | 
  7 | ---
  8 | apiVersion: rbac.authorization.k8s.io/v1
  9 | kind: ClusterRole
 10 | metadata:
 11 |   name: gitlab2rbac:authenticated
 12 | rules:
 13 | - apiGroups: ["*"]
 14 |   resources:
 15 |     - apiservices
 16 |     - componentstatuses
 17 |     - namespaces
 18 |     - nodes
 19 |   verbs:
 20 |     - get
 21 |     - list
 22 |     - watch
 23 | 
 24 | ---
 25 | apiVersion: rbac.authorization.k8s.io/v1
 26 | kind: ClusterRole
 27 | metadata:
 28 |   # NOTE: don't change the prefix gitlab2rbac:
 29 |   name: gitlab2rbac:guest
 30 | rules:
 31 | - apiGroups: ["*"]
 32 |   resources:
 33 |   # workload
 34 |   - cronjobs
 35 |   - daemonsets
 36 |   - deployments
 37 |   - horizontalpodautoscalers
 38 |   - ingresses
 39 |   - jobs
 40 |   - pods
 41 |   - replicasets
 42 |   - replicationcontrollers
 43 |   - services
 44 |   - statefulsets
 45 |   - verticalpodautoscalers
 46 |   # setup
 47 |   - configmaps
 48 |   - endpoints
 49 |   - networkpolicies
 50 |   - persistentvolumeclaims
 51 |   - persistentvolumeclaims/status
 52 |   - poddisruptionbudgets
 53 |   - poddisruptionbudgets/status
 54 |   - serviceaccounts
 55 |   verbs:
 56 |   - get
 57 |   - list
 58 |   - watch
 59 | 
 60 | ---
 61 | apiVersion: rbac.authorization.k8s.io/v1
 62 | kind: ClusterRole
 63 | metadata:
 64 |   name: gitlab2rbac:reporter
 65 | rules:
 66 | - apiGroups: ["*"]
 67 |   resources:
 68 |   # actions
 69 |   - pods/log
 70 |   - pods/portforward
 71 |   verbs:
 72 |   - create
 73 |   - delete
 74 |   - get
 75 |   - list
 76 |   - patch
 77 |   - update
 78 |   - watch
 79 | - apiGroups: ["*"]
 80 |   resources:
 81 |   # workload
 82 |   - cronjobs
 83 |   - daemonsets
 84 |   - deployments
 85 |   - events
 86 |   - horizontalpodautoscalers
 87 |   - ingresses
 88 |   - jobs
 89 |   - pods
 90 |   - replicasets
 91 |   - replicationcontrollers
 92 |   - services
 93 |   - statefulsets
 94 |   - verticalpodautoscalers
 95 |   # setup
 96 |   - configmaps
 97 |   - endpoints
 98 |   - networkpolicies
 99 |   - persistentvolumeclaims
100 |   - persistentvolumeclaims/status
101 |   - poddisruptionbudgets
102 |   - poddisruptionbudgets/status
103 |   - serviceaccounts
104 |   verbs:
105 |   - get
106 |   - list
107 |   - watch
108 | 
109 | ---
110 | apiVersion: rbac.authorization.k8s.io/v1
111 | kind: ClusterRole
112 | metadata:
113 |   name: gitlab2rbac:developer
114 | rules:
115 | - apiGroups: ["*"]
116 |   resources:
117 |   # workload
118 |   - cronjobs
119 |   - daemonsets
120 |   - deployments
121 |   - deployments/scale
122 |   - horizontalpodautoscalers
123 |   - ingresses
124 |   - jobs
125 |   - pods
126 |   - replicasets
127 |   - replicationcontrollers
128 |   - services
129 |   - statefulsets
130 |   - verticalpodautoscalers
131 |   # actions
132 |   - deployments/rollback
133 |   - deployments/scale
134 |   - pods/attach
135 |   - pods/exec
136 |   - pods/log
137 |   - pods/portforward
138 |   - replicasets/scale
139 |   - replicationcontrollers/scale
140 |   - statefulsets/scale
141 |   # setup
142 |   - certificates
143 |   - configmaps
144 |   - endpoints
145 |   - networkpolicies
146 |   - persistentvolumeclaims
147 |   - persistentvolumeclaims/status
148 |   - poddisruptionbudgets
149 |   - poddisruptionbudgets/status
150 |   - secrets
151 |   - serviceaccounts
152 |   verbs:
153 |   - create
154 |   - delete
155 |   - get
156 |   - list
157 |   - patch
158 |   - update
159 |   - watch
160 | - apiGroups: ["*"]
161 |   resources:
162 |   # workload
163 |   - events
164 |   # setup
165 |   - limitranges
166 |   - resourcequotas
167 |   - rolebindings
168 |   - roles
169 |   verbs:
170 |   - get
171 |   - list
172 |   - watch
173 | 
174 | ---
175 | apiVersion: rbac.authorization.k8s.io/v1
176 | kind: ClusterRole
177 | metadata:
178 |   name: gitlab2rbac:maintainer
179 | rules:
180 | - apiGroups: ["*"]
181 |   resources:
182 |   # workload
183 |   - cronjobs
184 |   - daemonsets
185 |   - deployments
186 |   - deployments/scale
187 |   - events
188 |   - horizontalpodautoscalers
189 |   - ingresses
190 |   - jobs
191 |   - pods
192 |   - replicasets
193 |   - replicationcontrollers
194 |   - services
195 |   - statefulsets
196 |   - verticalpodautoscalers
197 |   # actions
198 |   - deployments/rollback
199 |   - deployments/scale
200 |   - pods/attach
201 |   - pods/exec
202 |   - pods/log
203 |   - pods/portforward
204 |   - replicasets/scale
205 |   - replicationcontrollers/scale
206 |   - statefulsets/scale
207 |   # setup
208 |   - certificates
209 |   - configmaps
210 |   - endpoints
211 |   - limitranges
212 |   - networkpolicies
213 |   - persistentvolumeclaims
214 |   - persistentvolumeclaims/status
215 |   - poddisruptionbudgets
216 |   - poddisruptionbudgets/status
217 |   - resourcequotas
218 |   - rolebindings
219 |   - roles
220 |   - secrets
221 |   - serviceaccounts
222 |   verbs:
223 |   - create
224 |   - delete
225 |   - get
226 |   - list
227 |   - patch
228 |   - update
229 |   - watch
230 | 
231 | ---
232 | apiVersion: rbac.authorization.k8s.io/v1
233 | kind: ClusterRole
234 | metadata:
235 |   name: gitlab2rbac:admin
236 | apiVersion: rbac.authorization.k8s.io/v1
237 | kind: ClusterRole
238 | rules:
239 | - apiGroups: ['*']
240 |   resources: ['*']
241 |   verbs: ['*']
242 | - nonResourceURLs: ['*']
243 |   verbs: ['*']
244 | 
245 | ---
246 | apiVersion: rbac.authorization.k8s.io/v1
247 | kind: ClusterRoleBinding
248 | metadata:
249 |   name: gitlab2rbac:authenticated
250 | roleRef:
251 |   apiGroup: rbac.authorization.k8s.io
252 |   kind: ClusterRole
253 |   name: gitlab2rbac:authenticated
254 | subjects:
255 | - kind: Group
256 |   name: system:authenticated
257 |   apiGroup: rbac.authorization.k8s.io
258 | 
259 | ---
260 | apiVersion: rbac.authorization.k8s.io/v1
261 | kind: ClusterRoleBinding
262 | metadata:
263 |   name: gitlab2rbac:guest
264 | roleRef:
265 |   apiGroup: rbac.authorization.k8s.io
266 |   kind: ClusterRole
267 |   name: gitlab2rbac:guest
268 | subjects:
269 | - kind: ServiceAccount
270 |   name: gitlab2rbac
271 |   namespace: gitlab2rbac
272 | 
273 | ---
274 | apiVersion: rbac.authorization.k8s.io/v1
275 | kind: ClusterRoleBinding
276 | metadata:
277 |   name: gitlab2rbac:reporter
278 | roleRef:
279 |   apiGroup: rbac.authorization.k8s.io
280 |   kind: ClusterRole
281 |   name: gitlab2rbac:reporter
282 | subjects:
283 | - kind: ServiceAccount
284 |   name: gitlab2rbac
285 |   namespace: gitlab2rbac
286 | 
287 | ---
288 | apiVersion: rbac.authorization.k8s.io/v1
289 | kind: ClusterRoleBinding
290 | metadata:
291 |   name: gitlab2rbac:developer
292 | roleRef:
293 |   apiGroup: rbac.authorization.k8s.io
294 |   kind: ClusterRole
295 |   name: gitlab2rbac:developer
296 | subjects:
297 | - kind: ServiceAccount
298 |   name: gitlab2rbac
299 |   namespace: gitlab2rbac
300 | 
301 | ---
302 | apiVersion: rbac.authorization.k8s.io/v1
303 | kind: ClusterRoleBinding
304 | metadata:
305 |   name: gitlab2rbac:maintainer
306 | roleRef:
307 |   apiGroup: rbac.authorization.k8s.io
308 |   kind: ClusterRole
309 |   name: gitlab2rbac:maintainer
310 | subjects:
311 | - kind: ServiceAccount
312 |   name: gitlab2rbac
313 |   namespace: gitlab2rbac
314 | 
315 | ---
316 | apiVersion: rbac.authorization.k8s.io/v1
317 | kind: ClusterRoleBinding
318 | metadata:
319 |   name: gitlab2rbac:admin
320 | roleRef:
321 |   apiGroup: rbac.authorization.k8s.io
322 |   kind: ClusterRole
323 |   name: gitlab2rbac:admin
324 | subjects:
325 | - kind: ServiceAccount
326 |   name: gitlab2rbac
327 |   namespace: gitlab2rbac
328 | 


--------------------------------------------------------------------------------
/deploy/gitlab2rbac.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | apiVersion: v1
 3 | kind: ServiceAccount
 4 | metadata:
 5 |   name: gitlab2rbac
 6 |   namespace: gitlab2rbac
 7 | 
 8 | ---
 9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 |   name: gitlab2rbac
13 |   namespace: gitlab2rbac
14 |   labels:
15 |     app: gitlab2rbac
16 | spec:
17 |   replicas: 1
18 |   selector:
19 |     matchLabels:
20 |       app: gitlab2rbac
21 |   template:
22 |     metadata:
23 |       labels:
24 |         app: gitlab2rbac
25 |     spec:
26 |       serviceAccountName: gitlab2rbac
27 |       securityContext:
28 |         runAsNonRoot: true
29 |         runAsUser:  65534 # nobody
30 |       containers:
31 |       - name: gitlab2rbac
32 |         image: numberly/gitlab2rbac
33 |         resources:
34 |           requests:
35 |             cpu: 100m
36 |             memory: 128Mi
37 |           limits:
38 |             cpu: 100m
39 |             memory: 128Mi
40 |         envFrom:
41 |         - configMapRef:
42 |             name: gitlab2rbac
43 | 


--------------------------------------------------------------------------------
/docs/matrix.md:
--------------------------------------------------------------------------------
 1 | ### Role Descriptions
 2 | | Role       | Use Cases                 | Typical Examples                    |
 3 | |:----------:|:-------------------------:|:-----------------------------------:|
 4 | | Guest      | Inspiration               | Team members from other departments |
 5 | | Reporter   | Complete overview, testing| Project managers, marketing staff   |
 6 | | Developer  | Deployment, debugging     | Engineers, technical project managers |
 7 | | Maintainer | Sensitive configurations  | Lead or senior engineers            |
 8 | 
 9 | ### RBAC Permissions Matrix
10 | In Kubernetes, `R` and `W` correspond to API verbs:
11 | * **Read (`R`)**: `get`, `list`, `watch`
12 | * **Write (`W`)**: `create`, `update`, `patch`, `delete`, `deletecollection`
13 | 
14 | #### Cluster-Wide Resources
15 | All authenticated users have access to the following cluster-wide resources:
16 | * apiservices
17 | * componentstatuses (deprecated in v1.19+)
18 | * namespaces
19 | * nodes
20 | 
21 | GitLab admins are automatically granted admin privileges in the Kubernetes cluster.
22 | 
23 | #### Workload Resources
24 | | Resource                 | Guest | Reporter | Developer | Maintainer |
25 | |:------------------------:|:-----:|:--------:|:---------:|:----------:|
26 | | cronjobs                 |   R   |    R     |   R+W     |    R+W     |
27 | | daemonsets               |   R   |    R     |   R+W     |    R+W     |
28 | | deployments              |   R   |    R     |   R+W     |    R+W     |
29 | | horizontalpodautoscalers |   R   |    R     |   R+W     |    R+W     |
30 | | ingresses                |   R   |    R     |   R+W     |    R+W     |
31 | | jobs                     |   R   |    R     |   R+W     |    R+W     |
32 | | pods                     |   R   |    R     |   R+W     |    R+W     |
33 | | replicasets              |   R   |    R     |   R+W     |    R+W     |
34 | | replicationcontrollers   |   R   |    R     |   R+W     |    R+W     |
35 | | services                 |   R   |    R     |   R+W     |    R+W     |
36 | | statefulsets             |   R   |    R     |   R+W     |    R+W     |
37 | | verticalpodautoscalers   |   R   |    R     |   R+W     |    R+W     |
38 | | events                   |       |    R     |    R      |    R+W     |
39 | 
40 | #### Action-Based Resources
41 | | Resource                     | Guest | Reporter | Developer | Maintainer |
42 | |:----------------------------:|:-----:|:--------:|:---------:|:----------:|
43 | | pods/log                     |       |   R+W    |   R+W     |    R+W     |
44 | | pods/portforward             |       |   R+W    |   R+W     |    R+W     |
45 | | deployments/rollback         |       |          |   R+W     |    R+W     |
46 | | deployments/scale            |       |          |   R+W     |    R+W     |
47 | | pods/attach                  |       |          |   R+W     |    R+W     |
48 | | pods/exec                    |       |          |   R+W     |    R+W     |
49 | | replicasets/scale            |       |          |   R+W     |    R+W     |
50 | | replicationcontrollers/scale |       |          |   R+W     |    R+W     |
51 | | statefulsets/scale           |       |          |   R+W     |    R+W     |
52 | 
53 | #### Setup Resources
54 | | Resource                      | Guest | Reporter | Developer | Maintainer |
55 | |:-----------------------------:|:-----:|:--------:|:---------:|:----------:|
56 | | configmaps                    |   R   |    R     |   R+W     |    R+W     |
57 | | endpoints                     |   R   |    R     |   R+W     |    R+W     |
58 | | networkpolicies               |   R   |    R     |   R+W     |    R+W     |
59 | | persistentvolumeclaims        |   R   |    R     |   R+W     |    R+W     |
60 | | persistentvolumeclaims/status |   R   |    R     |   R+W     |    R+W     |
61 | | poddisruptionbudgets          |   R   |    R     |   R+W     |    R+W     |
62 | | poddisruptionbudgets/status   |   R   |    R     |   R+W     |    R+W     |
63 | | serviceaccounts               |   R   |    R     |   R+W     |    R+W     |
64 | | certificates                  |       |          |   R+W     |    R+W     |
65 | | secrets                       |       |          |   R+W     |    R+W     |
66 | | limitranges                   |       |          |    R      |    R+W     |
67 | | resourcequotas                |       |          |    R      |    R+W     |
68 | | rolebindings                  |       |          |    R      |    R+W     |
69 | | roles                         |       |          |    R      |    R+W     |
70 | 
71 | 


--------------------------------------------------------------------------------
/gitlab2rbac.py:
--------------------------------------------------------------------------------
  1 | import logging
  2 | from collections import defaultdict
  3 | from os import environ
  4 | from time import sleep, time
  5 | 
  6 | import kubernetes
  7 | from gql import gql, Client
  8 | from gql.transport.requests import RequestsHTTPTransport
  9 | from gitlab import Gitlab
 10 | from kubernetes.client.rest import ApiException
 11 | from slugify import slugify
 12 | 
 13 | logging.basicConfig(
 14 |     format="%(asctime)s - %(levelname)s - %(message)s",
 15 |     level=environ.get("LOGLEVEL", "INFO").upper(),
 16 | )
 17 | 
 18 | logging.getLogger("gql").setLevel(logging.WARNING)
 19 | 
 20 | 
 21 | class GitlabHelper(object):
 22 | 
 23 |     ACCESS_LEVEL_REFERENCE = {
 24 |         10: "guest",
 25 |         20: "reporter",
 26 |         30: "developer",
 27 |         40: "maintainer",
 28 |         # NOTE: owner is only usable when your permissions are based on group.
 29 |         50: "maintainer",
 30 |     }
 31 | 
 32 |     def __init__(
 33 |         self,
 34 |         url,
 35 |         token,
 36 |         timeout,
 37 |         groups,
 38 |         namespace_granularity,
 39 |         admins_group,
 40 |         username_ignore_list,
 41 |         groups_ignore_list,
 42 |     ):
 43 |         self.client = None
 44 |         self.gitlab_users = []
 45 |         self.groups = groups
 46 |         self.timeout = timeout
 47 |         self.token = token
 48 |         self.url = url
 49 |         self.namespace_granularity = namespace_granularity
 50 |         self.admins_group = admins_group
 51 |         self.namespaces = []
 52 |         self.username_ignore_list = username_ignore_list
 53 |         self.groups_ignore_list = groups_ignore_list
 54 | 
 55 |     def connect(self):
 56 |         """Performs an authentication via private token.
 57 | 
 58 |         Raises:
 59 |             exception: If any errors occurs.
 60 |         """
 61 |         try:
 62 |             self.client = Gitlab(
 63 |                 url=self.url, private_token=self.token, timeout=self.timeout
 64 |             )
 65 |             self.client.auth()
 66 |         except Exception as e:
 67 |             raise Exception("unable to connect on gitlab :: {}".format(e))
 68 | 
 69 |         try:
 70 |             if self.namespace_granularity == "group":
 71 |                 self.namespaces = self.get_groups()
 72 |             else:
 73 |                 self.namespaces = self.get_projects()
 74 |         except Exception as e:
 75 |             raise Exception("unable to define namespaces :: {}".format(e))
 76 | 
 77 |     def get_projects(self):
 78 |         """Get all projects under the configured namespace (GITLAB_GROUP_SEARCH).
 79 | 
 80 |         Returns:
 81 |             list[gitlab.Project]: list for success, empty otherwise.
 82 |         """
 83 |         try:
 84 |             projects = []
 85 |             for group in self.get_groups():
 86 |                 for project in group.projects.list(all=True):
 87 |                     projects.append(self.client.projects.get(project.id))
 88 |                     logging.info(
 89 |                         "|_ search group={} project={}".format(
 90 |                             group.name, project.name
 91 |                         )
 92 |                     )
 93 |             return projects
 94 |         except Exception as e:
 95 |             logging.error("unable to get projects :: {}".format(e))
 96 |         return []
 97 | 
 98 |     def get_admins(self):
 99 |         """Returns all admins.
100 | 
101 |         e.g. user {
102 |                 'email': 'foo@bar.com',
103 |                 'id': '123',
104 |             }
105 | 
106 |         Returns:
107 |             list[dict]: list for success, empty otherwise.
108 |         """
109 |         try:
110 |             if self.admins_group:
111 |                 ns = self.client.groups.list(search=self.admins_group)
112 |                 return self.get_users(from_namespaces=ns) or []
113 | 
114 |             admins = []
115 |             for user in self.client.users.list(all=True):
116 |                 if user.is_admin:
117 |                     admins.append(
118 |                         {"email": user.email, "id": "{}".format(user.id)}
119 |                     )
120 |                     logging.info(
121 |                         "|user={} email={} access_level=admin".format(
122 |                             user.name, user.email
123 |                         )
124 |                     )
125 |             return admins
126 |         except Exception as e:
127 |             logging.error("unable to retrieve admins :: {}".format(e))
128 |             exit(1)
129 |         return []
130 | 
131 |     def check_user(self, user):
132 |         if user["bot"] is True:
133 |             logging.debug(f"Ignore user {user['username']} because it's a bot")
134 |             return False
135 |         if user["username"] in self.username_ignore_list:
136 |             logging.debug(
137 |                 f"Ignore user {user['username']} because it's in the ignore list"
138 |             )
139 |             return False
140 |         if user["state"] != "active":
141 |             logging.debug(
142 |                 f"Ignoring user {user['username']} because is not active"
143 |             )
144 |             return False
145 |         return True
146 | 
147 |     def _get_users_query_paginated(
148 |         self, gql_client, query, variable_values=None
149 |     ):
150 |         if variable_values is None:
151 |             variable_values = {}
152 |         variable_values["first"] = 50
153 |         gql_client.execute(
154 |             query, variable_values=variable_values, parse_result=True
155 |         )
156 |         nodes = []
157 |         page_info = {"hasNextPage": True}
158 |         while page_info.get("hasNextPage"):
159 |             variable_values["after"] = page_info.get("endCursor")
160 |             results = (
161 |                 gql_client.execute(
162 |                     query, variable_values=variable_values, parse_result=True
163 |                 )
164 |                 .get("group")
165 |                 .get("groupMembers")
166 |             )
167 |             nodes += results.get("nodes")
168 |             page_info = results.get("pageInfo")
169 |         return nodes
170 | 
171 |     def get_users(self, from_namespaces=None):
172 |         """Returns all users from groups/projects.
173 |         We use a GraphQL to minimize the queries made to Gitlab API
174 | 
175 |         Args:
176 |           from_namespaces (list): Retrieve users from this namespaces.
177 | 
178 |         e.g. user {
179 |                 'access_level': 'reporter',
180 |                 'email': 'foo@bar.com',
181 |                 'id': '123',
182 |                 'namespace': 'default'
183 |             }
184 | 
185 |         Returns:
186 |             list[dict]: list for success, empty otherwise.
187 |         """
188 |         try:
189 |             users = []
190 |             namespaces = from_namespaces or self.namespaces
191 |             query = gql(
192 |                 """
193 | query ($first: Int, $after: String, $namespace : ID!) {
194 |   group(fullPath: $namespace) {
195 |     id
196 |     name
197 |     parent {
198 |       id
199 |     }
200 |     groupMembers(first: $first, after: $after) {
201 |       pageInfo {
202 |         endCursor
203 |         hasNextPage
204 |       }
205 |       nodes {
206 |         id
207 |         accessLevel {
208 |           integerValue
209 |           stringValue
210 |         }
211 |         user {
212 |           id
213 |           bot
214 |           username
215 |           state
216 |           emails {
217 |             edges {
218 |               node {
219 |                email
220 |               }
221 |             }
222 |           }
223 |         }
224 |       }
225 |     }
226 |   }
227 | }
228 | """
229 |             )
230 |             transport = RequestsHTTPTransport(
231 |                 url=f"{self.url}/api/graphql",
232 |                 headers={
233 |                     "Authorization": f"Bearer {self.token}",
234 |                     "Content-Type": "application/json",
235 |                 },
236 |                 use_json=True,
237 |             )
238 |             client = Client(
239 |                 transport=transport, fetch_schema_from_transport=True
240 |             )
241 |             for namespace in namespaces:
242 |                 _start = time()
243 |                 variable_values = {"namespace": namespace.name}
244 |                 members = self._get_users_query_paginated(
245 |                     client, query, variable_values
246 |                 )
247 |                 timespent = time() - _start
248 |                 logging.debug(
249 |                     f"Fetched members of group {namespace.name} in {timespent} seconds"
250 |                 )
251 |                 for member in members:
252 |                     # ignore user if it doesn't pass some checks
253 |                     if not self.check_user(member["user"]):
254 |                         continue
255 | 
256 |                     user = {
257 |                         "access_level": member["accessLevel"]["integerValue"],
258 |                         "email": member["user"]["emails"]["edges"][0]["node"][
259 |                             "email"
260 |                         ],
261 |                         "id": member["user"]["id"].replace(
262 |                             "gid://gitlab/User/", ""
263 |                         ),
264 |                         "namespace": slugify(namespace.name),
265 |                         "username": member["user"]["username"],
266 |                     }
267 |                     users.append(user)
268 |                     logging.info(
269 |                         "|namespace={} user={} email={} access_level={}".format(
270 |                             namespace.name,
271 |                             user["username"],
272 |                             user["email"],
273 |                             user["access_level"],
274 |                         )
275 |                     )
276 |             return users
277 |         except Exception as e:
278 |             logging.error("unable to retrieve users :: {}".format(e))
279 |             exit(1)
280 |         return []
281 | 
282 |     def get_groups(self):
283 |         groups = []
284 |         for group in self.groups:
285 |             _start = time()
286 |             gitlab_groups = self.client.groups.list(
287 |                 search=group,
288 |                 top_level_only=True,
289 |                 all=True,
290 |             )
291 |             timespent = time() - _start
292 |             logging.debug(f"Fetched groups in {timespent} seconds")
293 |             for result in gitlab_groups:
294 |                 if result.name not in self.groups_ignore_list:
295 |                     logging.info("|found group={}".format(result.name))
296 |                     groups.append(result)
297 |         return groups
298 | 
299 | 
300 | class KubernetesHelper(object):
301 | 
302 |     PROTECTED_NAMESPACES = ["kube-system"]
303 | 
304 |     def __init__(
305 |         self, timeout, load_incluster_config, user_role_prefix="gitlab2rbac"
306 |     ):
307 |         self.client_rbac = None
308 |         self.client_core = None
309 |         self.timeout = timeout
310 |         self.load_incluster_config = load_incluster_config
311 |         self.user_role_prefix = user_role_prefix
312 | 
313 |     def connect(self):
314 |         try:
315 |             if self.load_incluster_config:
316 |                 # it works only if this script is run by K8s as a POD
317 |                 kubernetes.config.load_incluster_config()
318 |             else:
319 |                 kubernetes.config.load_kube_config()
320 |             self.client_rbac = kubernetes.client.RbacAuthorizationV1Api()
321 |             self.client_core = kubernetes.client.CoreV1Api()
322 |         except Exception as e:
323 |             logging.error("unable to connect :: {}".format(e))
324 |             raise
325 | 
326 |     def get_namespaces(self):
327 |         try:
328 |             return [
329 |                 namespace.metadata.name
330 |                 for namespace in self.client_core.list_namespace(
331 |                     _request_timeout=self.timeout
332 |                 ).items
333 |                 if namespace.metadata.name not in self.PROTECTED_NAMESPACES
334 |             ]
335 |         except ApiException as e:
336 |             error = "unable to retrieve namespaces :: {}".format(
337 |                 eval(e.body)["message"]
338 |             )
339 |             logging.error(error)
340 |         except Exception as e:
341 |             logging.error("unable to retrieve namespaces :: {}".format(e))
342 |         return []
343 | 
344 |     def auto_create(self, namespaces):
345 |         try:
346 |             for namespace in namespaces:
347 |                 slug_namespace = slugify(namespace.name)
348 |                 labels = {
349 |                     "app.kubernetes.io/name": slug_namespace,
350 |                     "app.kubernetes.io/managed-by": "gitlab2rbac",
351 |                 }
352 |                 if self.check_namespace(name=slug_namespace):
353 |                     continue
354 |                 metadata = kubernetes.client.V1ObjectMeta(
355 |                     name=slug_namespace, labels=labels
356 |                 )
357 |                 namespace_body = kubernetes.client.V1Namespace(
358 |                     metadata=metadata
359 |                 )
360 |                 self.client_core.create_namespace(body=namespace_body)
361 |                 logging.info("auto create namespace={}".format(slug_namespace))
362 |         except ApiException as e:
363 |             error = "unable to auto create :: {}".format(
364 |                 eval(e.body)["message"]
365 |             )
366 |             logging.error(error)
367 |         except Exception as e:
368 |             logging.error("unable to auto create:: {}".format(e))
369 |         return []
370 | 
371 |     def check_namespace(self, name):
372 |         """Check if namespace exists.
373 | 
374 |         Args:
375 |             name (str): kubernetes namespace.
376 | 
377 |         Returns:
378 |             bool: True if exists, False otherwise.
379 |         """
380 |         try:
381 |             namespace = self.client_core.list_namespace(
382 |                 field_selector="metadata.name={}".format(name),
383 |                 timeout_seconds=self.timeout,
384 |             )
385 |             return bool(namespace.items)
386 |         except ApiException as e:
387 |             error = "unable to check namespace :: {}".format(
388 |                 eval(e.body)["message"]
389 |             )
390 |             logging.error(error)
391 |         except Exception as e:
392 |             logging.error("unable to check namespace :: {}".format(e))
393 |         return False
394 | 
395 |     def check_role_binding(self, name, namespace=None):
396 |         """Check if role binding exists.
397 | 
398 |         Args:
399 |             name (str): user_role_binding name.
400 |             namespace (str): kubernetes namespace.
401 | 
402 |         Returns:
403 |             bool: True if exists, False otherwise.
404 |         """
405 |         try:
406 |             full_name = "{}_{}".format(self.user_role_prefix, name)
407 |             field_selector = "metadata.name={}".format(full_name)
408 |             if namespace:
409 |                 role_bindings = self.client_rbac.list_namespaced_role_binding(
410 |                     namespace=namespace,
411 |                     field_selector=field_selector,
412 |                     timeout_seconds=self.timeout,
413 |                 )
414 |             else:
415 |                 role_bindings = self.client_rbac.list_cluster_role_binding(
416 |                     field_selector=field_selector, timeout_seconds=self.timeout
417 |                 )
418 |             return bool(role_bindings.items)
419 |         except ApiException as e:
420 |             error = "unable to check user role binding :: {}".format(
421 |                 eval(e.body)["message"]
422 |             )
423 |             logging.error(error)
424 |         except Exception as e:
425 |             logging.error("unable to check user role binding :: {}".format(e))
426 |         return False
427 | 
428 |     def create_role_binding(
429 |         self, user, user_id, name, role_ref, namespace=None
430 |     ):
431 |         try:
432 |             labels = {
433 |                 "app.kubernetes.io/managed-by": "gitlab2rbac",
434 |                 "gitlab2rbac.kubernetes.io/role_ref": role_ref,
435 |                 "gitlab2rbac.kubernetes.io/user_id": user_id,
436 |             }
437 |             name = "{}_{}".format(self.user_role_prefix, name)
438 |             role_binding = kubernetes.client.V1RoleBinding(
439 |                 metadata=kubernetes.client.V1ObjectMeta(
440 |                     namespace=namespace, name=name, labels=labels
441 |                 ),
442 |                 subjects=[
443 |                     kubernetes.client.RbacV1Subject(
444 |                         name=user,
445 |                         kind="User",
446 |                         api_group="rbac.authorization.k8s.io",
447 |                     )
448 |                 ],
449 |                 role_ref=kubernetes.client.V1RoleRef(
450 |                     kind="ClusterRole",
451 |                     api_group="rbac.authorization.k8s.io",
452 |                     name="gitlab2rbac:{}".format(role_ref),
453 |                 ),
454 |             )
455 |             if namespace:
456 |                 self.client_rbac.create_namespaced_role_binding(
457 |                     namespace=namespace,
458 |                     body=role_binding,
459 |                     _request_timeout=self.timeout,
460 |                 )
461 |             else:
462 |                 self.client_rbac.create_cluster_role_binding(
463 |                     body=role_binding, _request_timeout=self.timeout
464 |                 )
465 |             logging.info(
466 |                 "|_ role-binding created name={} namespace={}".format(
467 |                     name, namespace
468 |                 )
469 |             )
470 |         except ApiException as e:
471 |             error = "unable to create user role binding :: {}".format(
472 |                 eval(e.body)["message"]
473 |             )
474 |             logging.error(error)
475 |         except Exception as e:
476 |             logging.error("unable to create user role binding :: {}".format(e))
477 | 
478 |     def delete_deprecated_user_role_bindings(self, users):
479 |         try:
480 |             users_grouped_by_ns = defaultdict(list)
481 |             for user in users:
482 |                 users_grouped_by_ns[user["namespace"]].append(user)
483 | 
484 |             for ns in users_grouped_by_ns:
485 |                 role_bindings = self.client_rbac.list_namespaced_role_binding(
486 |                     ns
487 |                 )
488 |                 users_ids = [user["id"] for user in users_grouped_by_ns[ns]]
489 | 
490 |                 for role_binding in role_bindings.items:
491 |                     try:
492 |                         user_id = role_binding.metadata.labels[
493 |                             "gitlab2rbac.kubernetes.io/user_id"
494 |                         ]
495 |                     except (TypeError, KeyError):
496 |                         continue
497 | 
498 |                     if user_id not in users_ids:
499 |                         self.client_rbac.delete_namespaced_role_binding(
500 |                             name=role_binding.metadata.name,
501 |                             namespace=role_binding.metadata.namespace,
502 |                             body=role_binding,
503 |                         )
504 |                         logging.info(
505 |                             "|_ role-binding deprecated name={} namespace={}".format(
506 |                                 role_binding.metadata.name,
507 |                                 role_binding.metadata.namespace,
508 |                             )
509 |                         )
510 |         except ApiException as e:
511 |             error = (
512 |                 "unable to delete deprecated user role bindings :: {}".format(
513 |                     eval(e.body)["message"]
514 |                 )
515 |             )
516 |             logging.error(error)
517 |         except Exception as e:
518 |             logging.error(
519 |                 "unable to delete deprecated user role bindings :: {}".format(
520 |                     e
521 |                 )
522 |             )
523 | 
524 |     def delete_deprecated_cluster_role_bindings(self, users):
525 |         try:
526 |             cluster_users_ids = [user["id"] for user in users]
527 |             for (
528 |                 role_binding
529 |             ) in self.client_rbac.list_cluster_role_binding().items:
530 |                 try:
531 |                     user_id = role_binding.metadata.labels[
532 |                         "gitlab2rbac.kubernetes.io/user_id"
533 |                     ]
534 |                 except (TypeError, ValueError, KeyError):
535 |                     continue
536 | 
537 |                 if user_id not in cluster_users_ids:
538 |                     self.client_rbac.delete_cluster_role_binding(
539 |                         name=role_binding.metadata.name,
540 |                         body=role_binding,
541 |                     )
542 |                     logging.info(
543 |                         "|_ cluster-role-binding deprecated name={}".format(
544 |                             role_binding.metadata.name,
545 |                         )
546 |                     )
547 |         except ApiException as e:
548 |             error = "unable to delete deprecated cluster role bindings :: {}".format(
549 |                 eval(e.body)["message"]
550 |             )
551 |             logging.error(error)
552 |         except Exception as e:
553 |             logging.error(
554 |                 "unable to delete deprecated cluster role bindings :: {}".format(
555 |                     e
556 |                 )
557 |             )
558 | 
559 | 
560 | class Gitlab2RBAC(object):
561 |     def __init__(self, gitlab, kubernetes, kubernetes_auto_create):
562 |         self.gitlab = gitlab
563 |         self.kubernetes = kubernetes
564 |         self.kubernetes_auto_create = kubernetes_auto_create
565 | 
566 |     def __call__(self):
567 |         if self.kubernetes_auto_create:
568 |             self.kubernetes.auto_create(namespaces=self.gitlab.namespaces)
569 | 
570 |         gitlab_users = self.gitlab.get_users()
571 |         gitlab_admins = self.gitlab.get_admins()
572 | 
573 |         self.create_admin_role_bindings(admins=gitlab_admins)
574 |         self.create_user_role_bindings(users=gitlab_users)
575 |         self.kubernetes.delete_deprecated_user_role_bindings(
576 |             users=gitlab_users
577 |         )
578 |         self.kubernetes.delete_deprecated_cluster_role_bindings(
579 |             users=gitlab_admins
580 |         )
581 | 
582 |     def create_admin_role_bindings(self, admins):
583 |         try:
584 |             for admin in admins:
585 |                 role_binding_name = "{}_admin".format(admin["email"])
586 |                 if not self.kubernetes.check_role_binding(
587 |                     name=role_binding_name
588 |                 ):
589 |                     self.kubernetes.create_role_binding(
590 |                         user=admin["email"],
591 |                         user_id=admin["id"],
592 |                         name=role_binding_name,
593 |                         role_ref="admin",
594 |                     )
595 |         except Exception as e:
596 |             logging.error(
597 |                 "unable to create admin role bindings :: {}".format(e)
598 |             )
599 | 
600 |     def create_user_role_bindings(self, users):
601 |         try:
602 |             for user in users:
603 |                 namespace = user["namespace"]
604 |                 access_level = self.gitlab.ACCESS_LEVEL_REFERENCE[
605 |                     user["access_level"]
606 |                 ]
607 |                 role_binding_name = "{}_{}".format(user["email"], access_level)
608 | 
609 |                 if not self.kubernetes.check_role_binding(
610 |                     name=role_binding_name, namespace=namespace
611 |                 ):
612 |                     self.kubernetes.create_role_binding(
613 |                         user=user["email"],
614 |                         user_id=user["id"],
615 |                         name=role_binding_name,
616 |                         namespace=namespace,
617 |                         role_ref=access_level,
618 |                     )
619 |         except Exception as e:
620 |             logging.error(
621 |                 "unable to create user role bindings :: {}".format(e)
622 |             )
623 | 
624 | 
625 | def main():
626 |     try:
627 |         GITLAB_URL = environ.get("GITLAB_URL", None)
628 |         GITLAB_PRIVATE_TOKEN = environ.get("GITLAB_PRIVATE_TOKEN", None)
629 |         GITLAB_TIMEOUT = environ.get("GITLAB_TIMEOUT", 10)
630 |         GITLAB_GROUPS_SEARCH = environ.get(
631 |             "GITLAB_GROUPS_SEARCH", "gitlab2rbac"
632 |         ).split(",")
633 |         GITLAB_NAMESPACE_GRANULARITY = environ.get(
634 |             "GITLAB_NAMESPACE_GRANULARITY", "project"
635 |         )
636 |         GITLAB_ADMINS_GROUP = environ.get("GITLAB_ADMINS_GROUP", None)
637 | 
638 |         KUBERNETES_TIMEOUT = environ.get("KUBERNETES_TIMEOUT", 10)
639 |         KUBERNETES_AUTO_CREATE = eval(
640 |             environ.get("KUBERNETES_AUTO_CREATE", "False")
641 |         )
642 |         KUBERNETES_LOAD_INCLUSTER_CONFIG = eval(
643 |             environ.get("KUBERNETES_LOAD_INCLUSTER_CONFIG", "False")
644 |         )
645 | 
646 |         GITLAB2RBAC_FREQUENCY = environ.get("GITLAB2RBAC_FREQUENCY", 60)
647 |         GITLAB_USERNAME_IGNORE_LIST = environ.get(
648 |             "GITLAB_USERNAME_IGNORE_LIST", ""
649 |         ).split(",")
650 |         GITLAB_GROUPS_IGNORE_LIST = environ.get(
651 |             "GITLAB_GROUPS_IGNORE_LIST", "lost-and-found"
652 |         ).split(",")
653 | 
654 |         if not GITLAB_URL or not GITLAB_PRIVATE_TOKEN:
655 |             raise Exception(
656 |                 "missing variables GITLAB_URL / GITLAB_PRIVATE_TOKEN"
657 |             )
658 | 
659 |         while True:
660 |             gitlab_helper = GitlabHelper(
661 |                 url=GITLAB_URL,
662 |                 token=GITLAB_PRIVATE_TOKEN,
663 |                 timeout=GITLAB_TIMEOUT,
664 |                 groups=GITLAB_GROUPS_SEARCH,
665 |                 namespace_granularity=GITLAB_NAMESPACE_GRANULARITY,
666 |                 admins_group=GITLAB_ADMINS_GROUP,
667 |                 username_ignore_list=GITLAB_USERNAME_IGNORE_LIST,
668 |                 groups_ignore_list=GITLAB_GROUPS_IGNORE_LIST,
669 |             )
670 |             gitlab_helper.connect()
671 | 
672 |             kubernertes_helper = KubernetesHelper(
673 |                 timeout=KUBERNETES_TIMEOUT,
674 |                 load_incluster_config=KUBERNETES_LOAD_INCLUSTER_CONFIG,
675 |             )
676 |             kubernertes_helper.connect()
677 | 
678 |             rbac = Gitlab2RBAC(
679 |                 gitlab=gitlab_helper,
680 |                 kubernetes=kubernertes_helper,
681 |                 kubernetes_auto_create=KUBERNETES_AUTO_CREATE,
682 |             )
683 |             rbac()
684 |             sleep(int(GITLAB2RBAC_FREQUENCY))
685 |     except Exception as e:
686 |         logging.error("{}".format(e))
687 |         exit(1)
688 | 
689 | 
690 | if __name__ == "__main__":
691 |     main()
692 | 


--------------------------------------------------------------------------------
/gitlab2rbac/.helmignore:
--------------------------------------------------------------------------------
 1 | # Patterns to ignore when building packages.
 2 | # This supports shell glob matching, relative path matching, and
 3 | # negation (prefixed with !). Only one pattern per line.
 4 | .DS_Store
 5 | # Common VCS dirs
 6 | .git/
 7 | .gitignore
 8 | .bzr/
 9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 | 


--------------------------------------------------------------------------------
/gitlab2rbac/Chart.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v2
 2 | name: gitlab2rbac
 3 | description: gitlab2rbac ensures that your Kubernetes cluster users have the same permissions than on GitLab.
 4 | 
 5 | # A chart can be either an 'application' or a 'library' chart.
 6 | #
 7 | # Application charts are a collection of templates that can be packaged into versioned archives
 8 | # to be deployed.
 9 | #
10 | # Library charts provide useful utilities or functions for the chart developer. They're included as
11 | # a dependency of application charts to inject those utilities and functions into the rendering
12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed.
13 | type: application
14 | 
15 | # This is the chart version. This version number should be incremented each time you make changes
16 | # to the chart and its templates, including the app version.
17 | # Versions are expected to follow Semantic Versioning (https://semver.org/)
18 | version: 0.1.0
19 | 
20 | # This is the version number of the application being deployed. This version number should be
21 | # incremented each time you make changes to the application. Versions are not expected to
22 | # follow Semantic Versioning. They should reflect the version the application is using.
23 | # It is recommended to use it with quotes.
24 | appVersion: "0.2.4"
25 | 


--------------------------------------------------------------------------------
/gitlab2rbac/templates/NOTES.txt:
--------------------------------------------------------------------------------
 1 | 1. Get the application URL by running these commands:
 2 | {{- if .Values.ingress.enabled }}
 3 | {{- range $host := .Values.ingress.hosts }}
 4 |   {{- range .paths }}
 5 |   http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
 6 |   {{- end }}
 7 | {{- end }}
 8 | {{- else if contains "NodePort" .Values.service.type }}
 9 |   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitlab2rbac.fullname" . }})
10 |   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
11 |   echo http://$NODE_IP:$NODE_PORT
12 | {{- else if contains "LoadBalancer" .Values.service.type }}
13 |      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
14 |            You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "gitlab2rbac.fullname" . }}'
15 |   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gitlab2rbac.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
16 |   echo http://$SERVICE_IP:{{ .Values.service.port }}
17 | {{- else if contains "ClusterIP" .Values.service.type }}
18 |   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gitlab2rbac.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
19 |   export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
20 |   echo "Visit http://127.0.0.1:8080 to use your application"
21 |   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
22 | {{- end }}
23 | 


--------------------------------------------------------------------------------
/gitlab2rbac/templates/_helpers.tpl:
--------------------------------------------------------------------------------
 1 | {{/*
 2 | Expand the name of the chart.
 3 | */}}
 4 | {{- define "gitlab2rbac.name" -}}
 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 6 | {{- end }}
 7 | 
 8 | {{/*
 9 | Create a default fully qualified app name.
10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
11 | If release name contains chart name it will be used as a full name.
12 | */}}
13 | {{- define "gitlab2rbac.fullname" -}}
14 | {{- if .Values.fullnameOverride }}
15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
16 | {{- else }}
17 | {{- $name := default .Chart.Name .Values.nameOverride }}
18 | {{- if contains $name .Release.Name }}
19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }}
20 | {{- else }}
21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
22 | {{- end }}
23 | {{- end }}
24 | {{- end }}
25 | 
26 | {{/*
27 | Create chart name and version as used by the chart label.
28 | */}}
29 | {{- define "gitlab2rbac.chart" -}}
30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
31 | {{- end }}
32 | 
33 | {{/*
34 | Common labels
35 | */}}
36 | {{- define "gitlab2rbac.labels" -}}
37 | helm.sh/chart: {{ include "gitlab2rbac.chart" . }}
38 | {{ include "gitlab2rbac.selectorLabels" . }}
39 | {{- if .Chart.AppVersion }}
40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
41 | {{- end }}
42 | app.kubernetes.io/managed-by: {{ .Release.Service }}
43 | {{- end }}
44 | 
45 | {{/*
46 | Selector labels
47 | */}}
48 | {{- define "gitlab2rbac.selectorLabels" -}}
49 | app.kubernetes.io/name: {{ include "gitlab2rbac.name" . }}
50 | app.kubernetes.io/instance: {{ .Release.Name }}
51 | {{- end }}
52 | 
53 | {{/*
54 | Create the name of the service account to use
55 | */}}
56 | {{- define "gitlab2rbac.serviceAccountName" -}}
57 | {{- if .Values.serviceAccount.create }}
58 | {{- default (include "gitlab2rbac.fullname" .) .Values.serviceAccount.name }}
59 | {{- else }}
60 | {{- default "default" .Values.serviceAccount.name }}
61 | {{- end }}
62 | {{- end }}
63 | 


--------------------------------------------------------------------------------
/gitlab2rbac/templates/clusterrole.yaml:
--------------------------------------------------------------------------------
 1 | {{- $top := . -}}
 2 | {{- range $type := $top.Values.ClusterRole.type }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: ClusterRole
 5 | metadata:
 6 |   name: {{ $type.name }}
 7 |   namespace: {{ $top.Release.Namespace }}
 8 | rules:
 9 | {{- toYaml $type.rules | nindent 0 }}
10 | 
11 | ---
12 | {{- end }}
13 | 


--------------------------------------------------------------------------------
/gitlab2rbac/templates/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- $top := . -}}
 2 | {{- range $type := $top.Values.ClusterRoleBinding.type }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: ClusterRoleBinding
 5 | metadata:
 6 |   name: {{ $type.name }}
 7 |   namespace: {{ $top.Release.Namespace }}
 8 | roleRef:
 9 |   apiGroup: {{ $type.roleRefapiGroup | default "rbac.authorization.k8s.io"}}
10 |   kind: {{ $type.roleRefkind | default "ClusterRole" }}
11 |   name: {{ $type.roleRefname | default $type.name }}
12 | subjects:
13 | {{- toYaml $type.subjects | nindent 0 }}
14 | 
15 | ---
16 | {{- end }}
17 | 


--------------------------------------------------------------------------------
/gitlab2rbac/templates/configmap.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: ConfigMap
 3 | metadata:
 4 |   name: {{ include "gitlab2rbac.fullname" . }}
 5 |   namespace: {{ .Release.Namespace }}
 6 |   labels:
 7 |     {{- include "gitlab2rbac.labels" . | nindent 4 }}
 8 | data:
 9 |   {{- toYaml .Values.data | nindent 2 }}
10 | 


--------------------------------------------------------------------------------
/gitlab2rbac/templates/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: {{ include "gitlab2rbac.fullname" . }}
 5 |   namespace: {{ .Release.Namespace }}
 6 |   labels:
 7 |     {{- include "gitlab2rbac.labels" . | nindent 4 }}
 8 | spec:
 9 |   {{- if not .Values.autoscaling.enabled }}
10 |   replicas: {{ .Values.replicaCount }}
11 |   {{- end }}
12 |   selector:
13 |     matchLabels:
14 |       {{- include "gitlab2rbac.selectorLabels" . | nindent 6 }}
15 |   template:
16 |     metadata:
17 |       {{- with .Values.podAnnotations }}
18 |       annotations:
19 |         {{- toYaml . | nindent 8 }}
20 |       {{- end }}
21 |       labels:
22 |         {{- include "gitlab2rbac.selectorLabels" . | nindent 8 }}
23 |     spec:
24 |       {{- with .Values.imagePullSecrets }}
25 |       imagePullSecrets:
26 |         {{- toYaml . | nindent 8 }}
27 |       {{- end }}
28 |       serviceAccountName: {{ include "gitlab2rbac.serviceAccountName" . }}
29 |       securityContext:
30 |         {{- toYaml .Values.podSecurityContext | nindent 8 }}
31 |       containers:
32 |         - name: {{ .Chart.Name }}
33 |           securityContext:
34 |             {{- toYaml .Values.securityContext | nindent 12 }}
35 |           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
36 |           imagePullPolicy: {{ .Values.image.pullPolicy }}
37 |           ports:
38 |             - name: http
39 |               containerPort: 80
40 |               protocol: TCP
41 |           {{- with .Values.livenessProbe }}
42 |           livenessProbe:
43 |             {{- toYaml . | nindent 12 }}
44 |           {{- end }}
45 |           {{- with .Values.readinessProbe }}
46 |           readinessProbe:
47 |             {{- toYaml . | nindent 12 }}
48 |           {{- end }}
49 |           resources:
50 |             {{- toYaml .Values.resources | nindent 12 }}
51 |           {{- with .Values.envFrom }}
52 |           envFrom:
53 |             {{- toYaml . | nindent 12 }}
54 |           {{- end }}
55 |       {{- with .Values.nodeSelector }}
56 |       nodeSelector:
57 |         {{- toYaml . | nindent 8 }}
58 |       {{- end }}
59 |       {{- with .Values.affinity }}
60 |       affinity:
61 |         {{- toYaml . | nindent 8 }}
62 |       {{- end }}
63 |       {{- with .Values.tolerations }}
64 |       tolerations:
65 |         {{- toYaml . | nindent 8 }}
66 |       {{- end }}
67 | 


--------------------------------------------------------------------------------
/gitlab2rbac/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.serviceAccount.create -}}
 2 | apiVersion: v1
 3 | kind: ServiceAccount
 4 | metadata:
 5 |   name: {{ include "gitlab2rbac.serviceAccountName" . }}
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     {{- include "gitlab2rbac.labels" . | nindent 4 }}
 9 |   {{- with .Values.serviceAccount.annotations }}
10 |   annotations:
11 |     {{- toYaml . | nindent 4 }}
12 |   {{- end }}
13 | {{- end }}
14 | 


--------------------------------------------------------------------------------
/gitlab2rbac/values.yaml:
--------------------------------------------------------------------------------
  1 | replicaCount: 1
  2 | 
  3 | image:
  4 |   repository: numberly/gitlab2rbac
  5 |   pullPolicy: IfNotPresent
  6 |   # tag: ""
  7 | 
  8 | imagePullSecrets: []
  9 | nameOverride: ""
 10 | fullnameOverride: ""
 11 | 
 12 | serviceAccount:
 13 |   # Specifies whether a service account should be created
 14 |   create: true
 15 |   # Annotations to add to the service account
 16 |   annotations: {}
 17 |   # The name of the service account to use.
 18 |   # If not set and create is true, a name is generated using the fullname template
 19 |   name: ""
 20 | 
 21 | podAnnotations: {}
 22 | 
 23 | podSecurityContext:
 24 |   runAsUser:  0 # nobody
 25 |   # runAsUser:  65534 # nobody
 26 | 
 27 | securityContext: {}
 28 | 
 29 | service:
 30 |   type: ClusterIP
 31 |   port: 80
 32 | 
 33 | ingress:
 34 |   enabled: false
 35 | 
 36 | 
 37 | resources: {}
 38 | 
 39 | envFrom:
 40 | - configMapRef:
 41 |     name: gitlab2rbac
 42 | 
 43 | autoscaling:
 44 |   enabled: false
 45 |   minReplicas: 1
 46 |   maxReplicas: 100
 47 |   targetCPUUtilizationPercentage: 80
 48 | 
 49 | nodeSelector: {}
 50 | 
 51 | tolerations: []
 52 | 
 53 | affinity: {}
 54 | 
 55 | ClusterRole:
 56 |   type:
 57 |     - name: gitlab2rbac:authenticated
 58 |       rules:
 59 |       - apiGroups: ["*"]
 60 |         resources:
 61 |           - apiservices
 62 |           - componentstatuses
 63 |           - namespaces
 64 |           - nodes
 65 |         verbs:
 66 |           - get
 67 |           - list
 68 |           - watch
 69 |     - name: gitlab2rbac:guest
 70 |       rules:
 71 |       - apiGroups: ["*"]
 72 |         resources:
 73 |         # workload
 74 |         - cronjobs
 75 |         - daemonsets
 76 |         - deployments
 77 |         - horizontalpodautoscalers
 78 |         - ingresses
 79 |         - jobs
 80 |         - pods
 81 |         - replicasets
 82 |         - replicationcontrollers
 83 |         - services
 84 |         - statefulsets
 85 |         - verticalpodautoscalers
 86 |         # setup
 87 |         - configmaps
 88 |         - endpoints
 89 |         - networkpolicies
 90 |         - persistentvolumeclaims
 91 |         - persistentvolumeclaims/status
 92 |         - poddisruptionbudgets
 93 |         - poddisruptionbudgets/status
 94 |         - serviceaccounts
 95 |         verbs:
 96 |         - get
 97 |         - list
 98 |         - watch
 99 |     - name: gitlab2rbac:reporter
100 |       rules:
101 |       - apiGroups: ["*"]
102 |         resources:
103 |         # actions
104 |         - pods/log
105 |         - pods/portforward
106 |         verbs:
107 |         - create
108 |         - delete
109 |         - get
110 |         - list
111 |         - patch
112 |         - update
113 |         - watch
114 |       - apiGroups: ["*"]
115 |         resources:
116 |         # workload
117 |         - cronjobs
118 |         - daemonsets
119 |         - deployments
120 |         - events
121 |         - horizontalpodautoscalers
122 |         - ingresses
123 |         - jobs
124 |         - pods
125 |         - replicasets
126 |         - replicationcontrollers
127 |         - services
128 |         - statefulsets
129 |         - verticalpodautoscalers
130 |         # setup
131 |         - configmaps
132 |         - endpoints
133 |         - networkpolicies
134 |         - persistentvolumeclaims
135 |         - persistentvolumeclaims/status
136 |         - poddisruptionbudgets
137 |         - poddisruptionbudgets/status
138 |         - serviceaccounts
139 |         verbs:
140 |         - get
141 |         - list
142 |         - watch
143 |     - name: gitlab2rbac:developer
144 |       rules:
145 |       - apiGroups: ["*"]
146 |         resources:
147 |         # workload
148 |         - cronjobs
149 |         - daemonsets
150 |         - deployments
151 |         - deployments/scale
152 |         - horizontalpodautoscalers
153 |         - ingresses
154 |         - jobs
155 |         - pods
156 |         - replicasets
157 |         - replicationcontrollers
158 |         - services
159 |         - statefulsets
160 |         - verticalpodautoscalers
161 |         # actions
162 |         - deployments/rollback
163 |         - deployments/scale
164 |         - pods/attach
165 |         - pods/exec
166 |         - pods/log
167 |         - pods/portforward
168 |         - replicasets/scale
169 |         - replicationcontrollers/scale
170 |         - statefulsets/scale
171 |         # setup
172 |         - certificates
173 |         - configmaps
174 |         - endpoints
175 |         - networkpolicies
176 |         - persistentvolumeclaims
177 |         - persistentvolumeclaims/status
178 |         - poddisruptionbudgets
179 |         - poddisruptionbudgets/status
180 |         - secrets
181 |         - serviceaccounts
182 |         verbs:
183 |         - create
184 |         - delete
185 |         - get
186 |         - list
187 |         - patch
188 |         - update
189 |         - watch
190 |       - apiGroups: ["*"]
191 |         resources:
192 |         # workload
193 |         - events
194 |         # setup
195 |         - limitranges
196 |         - resourcequotas
197 |         - rolebindings
198 |         - roles
199 |         verbs:
200 |         - get
201 |         - list
202 |         - watch
203 |     - name: gitlab2rbac:maintainer
204 |       rules:
205 |       - apiGroups: ["*"]
206 |         resources:
207 |         # workload
208 |         - cronjobs
209 |         - daemonsets
210 |         - deployments
211 |         - deployments/scale
212 |         - events
213 |         - horizontalpodautoscalers
214 |         - ingresses
215 |         - jobs
216 |         - pods
217 |         - replicasets
218 |         - replicationcontrollers
219 |         - services
220 |         - statefulsets
221 |         - verticalpodautoscalers
222 |         # actions
223 |         - deployments/rollback
224 |         - deployments/scale
225 |         - pods/attach
226 |         - pods/exec
227 |         - pods/log
228 |         - pods/portforward
229 |         - replicasets/scale
230 |         - replicationcontrollers/scale
231 |         - statefulsets/scale
232 |         # setup
233 |         - certificates
234 |         - configmaps
235 |         - endpoints
236 |         - limitranges
237 |         - networkpolicies
238 |         - persistentvolumeclaims
239 |         - persistentvolumeclaims/status
240 |         - poddisruptionbudgets
241 |         - poddisruptionbudgets/status
242 |         - resourcequotas
243 |         - rolebindings
244 |         - roles
245 |         - secrets
246 |         - serviceaccounts
247 |         verbs:
248 |         - create
249 |         - delete
250 |         - get
251 |         - list
252 |         - patch
253 |         - update
254 |         - watch
255 |     - name: gitlab2rbac:admin
256 |       rules:
257 |       - apiGroups: ['*']
258 |         resources: ['*']
259 |         verbs: ['*']
260 |       - nonResourceURLs: ['*']
261 |         verbs: ['*']
262 | 
263 | ClusterRoleBinding:
264 |   type:
265 |     - name: gitlab2rbac:authenticated
266 |       subjects:
267 |       - kind: Group
268 |         name: system:authenticated
269 |         apiGroup: rbac.authorization.k8s.io
270 |     - name: gitlab2rbac:guest
271 |       subjects:
272 |       - kind: ServiceAccount
273 |         name: gitlab2rbac
274 |         namespace: gitlab2rbac
275 |     - name: gitlab2rbac:reporter
276 |       subjects:
277 |       - kind: ServiceAccount
278 |         name: gitlab2rbac
279 |         namespace: gitlab2rbac
280 |     - name: gitlab2rbac:developer
281 |       subjects:
282 |       - kind: ServiceAccount
283 |         name: gitlab2rbac
284 |         namespace: gitlab2rbac
285 |     - name: gitlab2rbac:maintainer
286 |       subjects:
287 |       - kind: ServiceAccount
288 |         name: gitlab2rbac
289 |         namespace: gitlab2rbac
290 |     - name: gitlab2rbac:admin
291 |       subjects:
292 |       - kind: ServiceAccount
293 |         name: gitlab2rbac
294 |         namespace: gitlab2rbac
295 |     - name: gitlab2rbac
296 |       roleRefname: cluster-admin
297 |       subjects:
298 |       - kind: ServiceAccount
299 |         name: gitlab-admin
300 |         namespace: kube-system
301 | 


--------------------------------------------------------------------------------
/graph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/numberly/gitlab2rbac/287a5ab877bc943f8b4cd739ea196422ffd253d0/graph.png


--------------------------------------------------------------------------------
/pyproject.toml:
--------------------------------------------------------------------------------
1 | [tool.black]
2 | line-length = 79
3 | include = '\.pyi?$'
4 | [tool.commitizen]
5 | name = "cz_conventional_commits"
6 | changelog_start_rev = "1.1.0"
7 | version_provider = 'pep621'
8 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
 1 | cachetools==5.4.0
 2 | certifi==2024.7.4
 3 | charset-normalizer==3.3.2
 4 | google-auth==2.32.0
 5 | gql==3.5.0
 6 | idna==3.7
 7 | kubernetes==30.1.0
 8 | oauthlib==3.2.2
 9 | pyasn1==0.6.0
10 | pyasn1_modules==0.4.0
11 | python-dateutil==2.9.0.post0
12 | python-gitlab==4.9.0
13 | python-slugify==8.0.4
14 | PyYAML==6.0.1
15 | rsa==4.9
16 | six==1.16.0
17 | text-unidecode==1.3
18 | urllib3==2.2.2
19 | websocket-client==1.8.0
20 | 


--------------------------------------------------------------------------------