Jenkins is running as a pod in a private GKE cluster. Currently when executing deployments using helm, the following error is encountered.
User "system:serviceaccount:jenkins:jenkins" cannot list resource "pods" in API group "" in the namespace "kube-system"
The command used for deployment is
helm install --values=/values_env.yaml --name / --set image.repository= --set image.tag= --namespace
User "system:serviceaccount:jenkins:jenkins" cannot list resource "pods" in API group "" in the namespace "kube-system"
The service account jenkins doesn't have privileges to list pods kube-system. You have to create Roles with those privileges and bind it with a ClusterRoleBinding / RoleBinding along with jenkins service account.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- create
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- delete
- list
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- list
- watch
- get
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
namespace: jenkins
roleRef:
kind: ClusterRole
name: jenkins
apiGroup: rbac.authorization.k8s.io