K
Q

Cannot use helm upgrade in a gitlab-runner due forbidden secret access rules

4/4/2020

I want to use execute helm on a gitlab-runner on my kubernetes in gitlab pipelines.

My gitlab.ci.yaml:

# Deployment step
deploy:
  stage: deploy
  image: alpine/helm:latest
  script:
    - helm --namespace gitlab upgrade initial ./iot/
  tags:
    - k8s
    - dev

What i have done so far:

  1. Installed the gitlab-runner on my kubernetes with helm (https://docs.gitlab.com/runner/install/kubernetes.html)

My values.yaml:

image: gitlab/gitlab-runner:alpine-v11.6.0

imagePullPolicy: IfNotPresent

gitlabUrl: https://gitlab.com/

runnerRegistrationToken: "mytoken"

unregisterRunners: true

terminationGracePeriodSeconds: 3600

concurrent: 10

checkInterval: 30

## For RBAC support:
rbac:
  create: true
  ## Define specific rbac permissions.
  # resources: ["pods", "pods/exec", "secrets"] 
  # verbs: ["get", "list", "watch", "create", "patch", "delete"]
  ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs cluster-wide or only within namespace
  clusterWideAccess: false

metrics:
  enabled: true
## Configuration for the Pods that that the runner launches for each new job
##
runners:
  ## Default container image to use for builds when none is specified
  ##
  image: ubuntu:16.04

  locked: false
  tags: "k8s,dev"
  privileged: true

  namespace: gitlab
  pollTimeout: 180
  outputLimit: 4096

  cache: {}
  ## Build Container specific configuration
  ##
  builds: {}
    # cpuLimit: 200m memoryLimit: 256Mi cpuRequests: 100m memoryRequests: 128Mi
  ## Service Container specific configuration
  ##
  services: {}
    # cpuLimit: 200m memoryLimit: 256Mi cpuRequests: 100m memoryRequests: 128Mi
  ## Helper Container specific configuration
  ##
  helpers: {}
securityContext:
  fsGroup: 65533
  runAsUser: 100
## Configure resource requests and limits ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources: {}

affinity: {}

nodeSelector: {}

tolerations: []

envVars:
    name: RUNNER_EXECUTOR
    value: kubernetes
## list of hosts and IPs that will be injected into the pod's hosts file
hostAliases: []

podAnnotations: {}

podLabels: {}
  1. gitlab-runner is succesfully connected with gitlab.com

But i get the following message on gitlab when executing the deployment step:

 Error: UPGRADE FAILED: query: failed to query with labels: secrets is forbidden: User "system:serviceaccount:gitlab:default" cannot list resource "secrets" in API group "" in the namespace "gitlab"

I've checked my RBAC ClusterRules and they are all per default set to a wildcard on verbs and ressources but i have also tried to set the needed rights:

  resources: ["pods", "pods/exec", "secrets"] 
  verbs: ["get", "list", "watch", "create", "patch", "delete"]

Nothing worked :-( When i have done wrong?

-- rubiktubik
gitlab
gitlab-ci-runner
kubernetes
rbac

Similar Questions

Difference between kubectl port-forwarding and NodePort service
Reconcile dependent objects k8s controller runtime
ProgramInvocationException: The main method caused an error: null run flink task in kubernetes cluster
Init container to be ran only once per deployment

1 Answer

5/12/2020

I hope I have found the decision for this problem. Try to create clusterrolebinding like this

kubectl create clusterrolebinding gitlab-cluster-admin --clusterrole=cluster-admin --group=system:serviceaccounts
-- radikkit
Source: StackOverflow