时间戳

首页 > 解决方案 > 由于禁止的秘密访问规则,无法在 gitlab-runner 中使用 helm upgrade

kubernetes - 由于禁止的秘密访问规则,无法在 gitlab-runner 中使用 helm upgrade

问题描述

我想在 gitlab 管道中的 kubernetes 上的 gitlab-runner 上使用执行 helm。

我的 gitlab.ci.yaml:

# Deployment step
deploy:
  stage: deploy
  image: alpine/helm:latest
  script:
    - helm --namespace gitlab upgrade initial ./iot/
  tags:
    - k8s
    - dev

到目前为止我做了什么:

  1. 用 helm 在我的 kubernetes 上安装了 gitlab-runner ( https://docs.gitlab.com/runner/install/kubernetes.html )

我的价值观.yaml:

image: gitlab/gitlab-runner:alpine-v11.6.0

imagePullPolicy: IfNotPresent

gitlabUrl: https://gitlab.com/

runnerRegistrationToken: "mytoken"

unregisterRunners: true

terminationGracePeriodSeconds: 3600

concurrent: 10

checkInterval: 30

## For RBAC support:
rbac:
  create: true
  ## Define specific rbac permissions.
  # resources: ["pods", "pods/exec", "secrets"] 
  # verbs: ["get", "list", "watch", "create", "patch", "delete"]
  ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs cluster-wide or only within namespace
  clusterWideAccess: false

metrics:
  enabled: true
## Configuration for the Pods that that the runner launches for each new job
##
runners:
  ## Default container image to use for builds when none is specified
  ##
  image: ubuntu:16.04

  locked: false
  tags: "k8s,dev"
  privileged: true

  namespace: gitlab
  pollTimeout: 180
  outputLimit: 4096

  cache: {}
  ## Build Container specific configuration
  ##
  builds: {}
    # cpuLimit: 200m memoryLimit: 256Mi cpuRequests: 100m memoryRequests: 128Mi
  ## Service Container specific configuration
  ##
  services: {}
    # cpuLimit: 200m memoryLimit: 256Mi cpuRequests: 100m memoryRequests: 128Mi
  ## Helper Container specific configuration
  ##
  helpers: {}
securityContext:
  fsGroup: 65533
  runAsUser: 100
## Configure resource requests and limits ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources: {}

affinity: {}

nodeSelector: {}

tolerations: []

envVars:
    name: RUNNER_EXECUTOR
    value: kubernetes
## list of hosts and IPs that will be injected into the pod's hosts file
hostAliases: []

podAnnotations: {}

podLabels: {}
  1. gitlab-runner 与 gitlab.com 成功连接

但是在执行部署步骤时,我在 gitlab 上收到以下消息:

 Error: UPGRADE FAILED: query: failed to query with labels: secrets is forbidden: User "system:serviceaccount:gitlab:default" cannot list resource "secrets" in API group "" in the namespace "gitlab"

我检查了我的 RBAC ClusterRules 并且它们都默认设置为动词和资源上的通配符,但我也尝试设置所需的权限:

  resources: ["pods", "pods/exec", "secrets"] 
  verbs: ["get", "list", "watch", "create", "patch", "delete"]

没有任何效果:-(当我做错了?

标签: kubernetesgitlabgitlab-ci-runnerrbac

解决方案

我通过将 runners.serviceAccountName 设置为我在命名空间中创建的具有所有权限的 serviceAccount 解决了同样的问题。

推荐阅读