K
Q

Not able to execute GitLab Runner in Kubernetes cluster: cannot create resource "secrets" in API group "" in the namespace "gitlab"

9/18/2021

Currently I'm facing the issue: 

ERROR: Job failed (system failure): 
prepare environment: 
setting up credentials: 
secrets is forbidden: 
User "system:serviceaccount:default:gitlab-runner" cannot create
resource "secrets" in API group "" in the namespace "gitlab"` 
after following the official documentation on how to integrate the GitLab Runner.

I'm using the following runner-chart-values.yaml:

# The GitLab Server URL (with protocol) that want to register the runner against
# ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
#
gitlabUrl: http://example.domain/

# The Registration Token for adding new runners to the GitLab Server. This must
# be retrieved from your GitLab instance.
# ref: https://docs.gitlab.com/ce/ci/runners/README.html
#
runnerRegistrationToken: "<token>"

# For RBAC support:
rbac:
    create: true
    rules:
      - apiGroups: ["*"]

# Run all containers with the privileged flag enabled
# This will allow the docker:dind image to run if you need to run Docker
# commands. Please read the docs before turning this on:
# ref: https://docs.gitlab.com/runner/executors/kubernetes.html#using-dockerdind
runners:
    privileged: true

Any clues what's going on?

Many thanks!

-- andreas.teich
docker
gitlab
gitlab-ci
gitlab-ci-runner
kubernetes

Similar Questions

How to use my values.yaml's values in stable/mongo subchart's secrets?
Kubernetes network config
Cannot read configmap with name: [xx] in namespace ['default'] Ignoring
“Error: forwarding ports: Upgrade request required” Error in helm of a kubernetes cluster
Readiness probe failed: Get http://10.244.2.183:5000/: dial tcp 10.244.2.183:5000: connect: connection refused Back-off restarting failed container

3 Answers

9/24/2021

Extending Harsh's answer: Please make sure that you're working under active 'gitlab-runner' namespace or using the key --namespace=gitlab-runner. To switch between active namespaces, please use the following command:

kubens gitlab-runner

So you don't need to use --namespace=gitlab-runner everytime.

JFYI, I've done that steps from the article on my k8s cluster and it works fine for me.

-- Bazhikov
Source: StackOverflow
9/19/2021

Looks like there is namespace mismatch however you can try this below option 

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gitlab-runner
  namespace: gitlab-runner
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "get", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]

make sure you are creating the service account of Role to proper namespace.

Command to create Role binding

kubectl create rolebinding --namespace=gitlab-runner gitlab-runner-binding --role=gitlab-runner --serviceaccount=gitlab-runner:default

here is nice documentation : https://medium.com/@ruben.laguna/installing-a-gitlab-runner-on-kubernetes-ac386c924bc8

-- Harsh Manvar
Source: StackOverflow
1/11/2022

For me adding all necessary roles was the only solution that actually helped.

Here the corresponding runner-chart-values.yaml file:

## GitLab Runner Image
gitlabUrl: http://example.domain/
runnerRegistrationToken: "<token>"

rbac:
  create: true
  rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["list", "get", "watch", "create", "delete"]
    - apiGroups: [""]
      resources: ["pods/exec"]
      verbs: ["create"]
    - apiGroups: [""]
      resources: ["pods/log"]
      verbs: ["get"]
    - apiGroups: [""]
      resources: ["pods/attach"]
      verbs: ["list", "get", "create", "delete", "update"]
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["list", "get", "create", "delete", "update"]      
    - apiGroups: [""]
      resources: ["configmaps"]
      verbs: ["list", "get", "create", "delete", "update"]      

runners:
  privileged: true
-- Richard
Source: StackOverflow