无法在Kubernetes群集中执行GitLab Runner：无法在名称空间“gitlab”的API组“”中创建资源“secrets”

目前我面临的问题是：

ERROR: Job failed (system failure): 
prepare environment: 
setting up credentials: 
secrets is forbidden: 
User "system:serviceaccount:default:gitlab-runner" cannot create
resource "secrets" in API group "" in the namespace "gitlab"` 
after following the official documentation on how to integrate the GitLab Runner.

我正在使用以下runner-chart-values.yaml：

# The GitLab Server URL (with protocol) that want to register the runner against
# ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
#
gitlabUrl: http://example.domain/

# The Registration Token for adding new runners to the GitLab Server. This must
# be retrieved from your GitLab instance.
# ref: https://docs.gitlab.com/ce/ci/runners/README.html
#
runnerRegistrationToken: "<token>"

# For RBAC support:
rbac:
    create: true
    rules:
      - apiGroups: ["*"]

# Run all containers with the privileged flag enabled
# This will allow the docker:dind image to run if you need to run Docker
# commands. Please read the docs before turning this on:
# ref: https://docs.gitlab.com/runner/executors/kubernetes.html#using-dockerdind
runners:
    privileged: true

有什么线索吗？
非常感谢!

对我来说，添加所有必要的角色是唯一真正有帮助的解决方案。
下面是相应的runner-chart-values.yaml文件：

## GitLab Runner Image
gitlabUrl: http://example.domain/
runnerRegistrationToken: "<token>"

rbac:
  create: true
  rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["list", "get", "watch", "create", "delete"]
    - apiGroups: [""]
      resources: ["pods/exec"]
      verbs: ["create"]
    - apiGroups: [""]
      resources: ["pods/log"]
      verbs: ["get"]
    - apiGroups: [""]
      resources: ["pods/attach"]
      verbs: ["list", "get", "create", "delete", "update"]
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["list", "get", "create", "delete", "update"]      
    - apiGroups: [""]
      resources: ["configmaps"]
      verbs: ["list", "get", "create", "delete", "update"]      

runners:
  privileged: true

似乎存在命名空间不匹配，但您可以尝试以下选项

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gitlab-runner
  namespace: gitlab-runner
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "get", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]

请确保您正在为正确的命名空间创建角色的服务帐户。
用于创建角色绑定的命令

kubectl create rolebinding --namespace=gitlab-runner gitlab-runner-binding --role=gitlab-runner --serviceaccount=gitlab-runner:default

下面是一些不错文档：https://medium.com/@ruben.laguna/installing-a-gitlab-runner-on-kubernetes-ac386c924bc8

这里是一个完整的解决方案使用Helm，我复制了Richard在this answer中提出的权利.
使用以下模板（gitlab-rbac/templates），我们可以使用以下命令修补给定的名称空间：

helm upgrade -i gitlab-rbac-name ./gitlab-rbac \
-n your-namespace-here --create-namespace

安装后，您可以通过以下方式检查当前权限：

kubectl auth can-i create secrets --as=system:serviceaccount:gitlab:default \
-n your-namespace-here

模板gitlab-rbac/templates/rbac.yaml包含以下内容：

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ .Release.Namespace }}-admin
  namespace: {{ .Release.Namespace }}
rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["list", "get", "watch", "create", "delete"]
    - apiGroups: [""]
      resources: ["pods/exec"]
      verbs: ["create"]
    - apiGroups: [""]
      resources: ["pods/log"]
      verbs: ["get"]
    - apiGroups: [""]
      resources: ["pods/attach"]
      verbs: ["list", "get", "create", "delete", "update"]
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["list", "get", "create", "delete", "update"]      
    - apiGroups: [""]
      resources: ["configmaps"]
      verbs: ["list", "get", "create", "delete", "update"]  
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gitlab-runner-{{ .Release.Namespace }}-admin
  namespace: {{ .Release.Namespace }}
subjects:
  - kind: ServiceAccount
    name: default
    namespace: gitlab
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ .Release.Namespace }}-admin

请注意，您可能需要为您的跑步者提供更多权限，您可能需要根据您的管道更新规则。例如，如果您允许模板创建名称空间，则需要为此添加群集范围的角色。这意味着在模板文件中添加以下内容：

# ... Role and RoleBinding templates
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-admin
rules:
  - apiGroups: ['']
    resources: ['namespaces']
    verbs: ['create']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gitlab-runner-namespace-admin
subjects:
  - kind: ServiceAccount
    name: default
    namespace: gitlab
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: namespace-admin

在本例中，值（gitlab-rbac/values.yaml）文件为空，因为我们只使用了名称空间参数。

扩展哈什的回答：请确保您正在使用活动的“gitlab-runner”命名空间或使用键--namespace=gitlab-runner。要在活动命名空间之间切换，请使用以下命令：
kubens gitlab-runner
因此，您不必每次都使用--namespace=gitlab-runner。
JFYI，我已经完成了文章中关于我的k8s集群的步骤，它对我来说很好用。

我也得到了同样的错误。所以我用了这个方法。它解决了我的错误。

helm install --namespace <NAMESPACE> gitlab-runner -f values.yml --set rbac.create=true gitlab/gitlab-runner

除了其他答案外，这里还有一个官方文档的链接，其中列出了根据所使用的策略需要哪些权限：

文档链接：https://docs.gitlab.com/runner/executors/kubernetes.html

无法在Kubernetes群集中执行GitLab Runner：无法在名称空间“gitlab”的API组“”中创建资源“secrets”

6条答案

相关问题

热门标签

最新问答