Adds documentation for AutoDevOps & RBAC support

1 files changed, 50 insertions, 45 deletions

diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md
index 94744cf8500..472496697f5 100644
--- a/doc/user/project/clusters/index.md
+++ b/doc/user/project/clusters/index.md
@@ -132,59 +132,64 @@ functionalities needed to successfully build and deploy a containerized
 application. Bare in mind that the same credentials are used for all the
 applications running on the cluster.
 
-When GitLab creates the cluster, it enables and uses the legacy
-[Attribute-based access control (ABAC)](https://kubernetes.io/docs/admin/authorization/abac/).
-The newer [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)
-authorization is [experimental](#role-based-access-control-rbac).
+## Access controls
 
-### Role-based access control (RBAC) **[CORE ONLY]**
+When creating a cluster in GitLab, you will be asked if you would like to create an
+[Attribute-based access control (ABAC)](https://kubernetes.io/docs/admin/authorization/abac/) cluster, or
+[Role-based access control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) cluster.
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21401) in GitLab 11.4.
+Whether ABAC or RBAC is enabled for a cluster, and whether you're [new GKE cluster via
+GitLab](#adding-and-creating-a-new-gke-cluster-via-gitlab) or [adding an existing 
+Kubernetes cluster](#adding-an-existing-kubernetes-cluster), GitLab will create the necessary 
+service accounts and privileges in order to install and run [GitLab managed applications](#installing-applications):
 
-CAUTION: **Warning:**
-The RBAC authorization is experimental.
+- A `gitlab` service account with `cluster-admin` privileges will be created in the
+`default` namespace, which will be used by GitLab to manage the newly created cluster.
 
-Once RBAC is enabled for a cluster, GitLab will create the necessary service accounts
-and privileges in order to install and run [GitLab managed applications](#installing-applications).
-
-If you are creating a [new GKE cluster via
-GitLab](#adding-and-creating-a-new-gke-cluster-via-gitlab), you will be
-asked if you would like to create an RBAC-enabled cluster. Enabling this
-setting will create a `gitlab` service account which will be used by
-GitLab to manage the newly created cluster. To enable this, this service
-account will have the `cluster-admin` privilege.
-
-If you are [adding an existing Kubernetes
-cluster](#adding-an-existing-kubernetes-cluster), you will be asked if
-the cluster you are adding is a RBAC-enabled cluster. Ensure the
-token of the account has administrator privileges for the cluster.
-
-In both cases above, when you install Helm Tiller into your cluster, an
-RBAC-enabled cluster will create a `tiller` service account, with `cluster-admin`
-privileges in the `gitlab-managed-apps` namespace. This service account will be
-added to the installed Helm Tiller and will be used by Helm to install and run
-[GitLab managed applications](#installing-applications).
-
-The table below summarizes which resources will be created in a
-RBAC-enabled cluster :
-
-| Name           | Kind                 | Details                           | Created when               |
-| ---            | ---                  | ---                               | ---                        |
-| `gitlab`       | `ServiceAccount`     | `default` namespace               | Creating a new GKE Cluster |
-| `gitlab-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef           | Creating a new GKE Cluster |
-| `gitlab-token` | `Secret`             | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster |
-| `tiller`       | `ServiceAccount`     | `gitlab-managed-apps` namespace   | Installing Helm Tiller     |
-| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef           | Installing Helm Tiller     |
+- A project service account with `edit` privileges will be created in the
+project namespace (also created by GitLab), which will be used to ensure compatibility
+between [Auto DevOps](../../../topics/autodevops/index.md) and RBAC.
 
+NOTE: **Note:**
+Auto DevOps support for RBAC was introduced on [11.5](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716)
 
-Helm Tiller will also create additional service accounts and other RBAC
-resources for each installed application. Consult the documentation for the
-Helm charts for each application for details.
+- When you install Helm Tiller into your cluster, a cluster will create a 
+`tiller` service account, with `cluster-admin` privileges in the `gitlab-managed-apps` 
+namespace. This service account will be added to the installed Helm Tiller and will 
+be used by Helm to install and run [GitLab managed applications](#installing-applications). 
+Helm Tiller will also create additional service accounts and other resources for each 
+installed application. Consult the documentation for the Helm charts for each application
+for details.
 
 NOTE: **Note:**
-Auto DevOps will not successfully complete in a cluster that only has RBAC
-authorization enabled. RBAC support for Auto DevOps is planned in a
-[future release](https://gitlab.com/gitlab-org/gitlab-ce/issues/44597).
+If you are [adding an existing Kubernetes cluster](#adding-an-existing-kubernetes-cluster),
+ensure the token of the account has administrator privileges for the cluster.
+
+Following sections summarizes which resources will be created on ABAC/RBAC clusters.
+
+### Attribute-based access control (ABAC)
+
+| Name              | Kind                 | Details                           | Created when                      |
+| ---               | ---                  | ---                               | ---                               |
+| `gitlab`          | `ServiceAccount`     | `default` namespace               | Creating a new GKE Cluster        |
+| `gitlab-token`    | `Secret`             | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster        |
+| `tiller`          | `ServiceAccount`     | `gitlab-managed-apps` namespace   | Installing Helm Tiller            |
+| `tiller-admin`    | `ClusterRoleBinding` | `cluster-admin` roleRef           | Installing Helm Tiller            |
+| Project namespace | `ServiceAccount`     | Uses namespace of Project         | Creating/Adding a new GKE Cluster |
+| Project namespace | `Secret`             | Token for project ServiceAccount  | Creating/Adding a new GKE Cluster |
+
+### Role-based access control (RBAC)
+
+| Name                | Kind                 | Details                           | Created when                      |
+| ---                 | ---                  | ---                               | ---                               |
+| `gitlab`            | `ServiceAccount`     | `default` namespace               | Creating a new GKE Cluster        |
+| `gitlab-admin`      | `ClusterRoleBinding` | [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef           | Creating a new GKE Cluster |
+| `gitlab-token`      | `Secret`             | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster        |
+| `tiller`            | `ServiceAccount`     | `gitlab-managed-apps` namespace   | Installing Helm Tiller            |
+| `tiller-admin`      | `ClusterRoleBinding` | `cluster-admin` roleRef           | Installing Helm Tiller            |
+| Project namespace   | `ServiceAccount`     | Uses namespace of Project         | Creating/Adding a new GKE Cluster |
+| Project namespace   | `Secret`             | Token for project ServiceAccount  | Creating/Adding a new GKE Cluster |
+| Project namespace   | `RoleBinding`        | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef                  | Creating/Adding a new GKE Cluster |
 
 ### Security of GitLab Runners