apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-runner
  namespace: public-service
  labels:
    app: gitlab-runner

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gitlab-runner
  labels:
    app: gitlab-runner
rules:
- apiGroups: [""]
  resources: [pods, pods/exec, secrets]
  verbs: [get, list, watch, create, patch, delete]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gitlab-runner
  namespace: public-service
  labels:
    app: gitlab-runner
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: gitlab-runner
subjects:
- kind: ServiceAccount
  name: gitlab-runner
  namespace: public-service