2 files changed, 34 insertions, 0 deletions

diff --git a/app/services/clusters/kubernetes.rb b/app/services/clusters/kubernetes.rb
index 819ac4c8464..ef549b56946 100644
--- a/app/services/clusters/kubernetes.rb
+++ b/app/services/clusters/kubernetes.rb
@@ -14,5 +14,7 @@ module Clusters
     GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME = 'gitlab-crossplane-database-rolebinding'
     KNATIVE_SERVING_NAMESPACE = 'knative-serving'
     ISTIO_SYSTEM_NAMESPACE = 'istio-system'
+    GITLAB_CILIUM_ROLE_NAME = 'gitlab-cilium-role'
+    GITLAB_CILIUM_ROLE_BINDING_NAME = 'gitlab-cilium-rolebinding'
   end
 end
diff --git a/app/services/clusters/kubernetes/create_or_update_service_account_service.rb b/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
index eabc428d0d2..ecad33fc7c0 100644
--- a/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
+++ b/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
@@ -53,6 +53,8 @@ module Clusters
         create_or_update_knative_serving_role_binding
         create_or_update_crossplane_database_role
         create_or_update_crossplane_database_role_binding
+        create_or_update_cilium_role
+        create_or_update_cilium_role_binding
       end
 
       private
@@ -97,6 +99,14 @@ module Clusters
         kubeclient.update_role_binding(crossplane_database_role_binding_resource)
       end
 
+      def create_or_update_cilium_role
+        kubeclient.update_role(cilium_role_resource)
+      end
+
+      def create_or_update_cilium_role_binding
+        kubeclient.update_role_binding(cilium_role_binding_resource)
+      end
+
       def service_account_resource
         Gitlab::Kubernetes::ServiceAccount.new(
           service_account_name,
@@ -175,6 +185,28 @@ module Clusters
           service_account_name: service_account_name
         ).generate
       end
+
+      def cilium_role_resource
+        Gitlab::Kubernetes::Role.new(
+          name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME,
+          namespace: service_account_namespace,
+          rules: [{
+            apiGroups: %w(cilium.io),
+            resources: %w(ciliumnetworkpolicies),
+            verbs: %w(get list create update patch)
+          }]
+        ).generate
+      end
+
+      def cilium_role_binding_resource
+        Gitlab::Kubernetes::RoleBinding.new(
+          name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_BINDING_NAME,
+          role_name: Clusters::Kubernetes::GITLAB_CILIUM_ROLE_NAME,
+          role_kind: :Role,
+          namespace: service_account_namespace,
+          service_account_name: service_account_name
+        ).generate
+      end
     end
   end
 end