kubernetes - 由于禁止的秘密访问规则,无法在 gitlab-runner 中使用 helm upgrade
问题描述
我想在 gitlab 管道中的 kubernetes 上的 gitlab-runner 上使用执行 helm。
我的 gitlab.ci.yaml:
# Deployment step
deploy:
stage: deploy
image: alpine/helm:latest
script:
- helm --namespace gitlab upgrade initial ./iot/
tags:
- k8s
- dev
到目前为止我做了什么:
- 用 helm 在我的 kubernetes 上安装了 gitlab-runner ( https://docs.gitlab.com/runner/install/kubernetes.html )
我的价值观.yaml:
image: gitlab/gitlab-runner:alpine-v11.6.0
imagePullPolicy: IfNotPresent
gitlabUrl: https://gitlab.com/
runnerRegistrationToken: "mytoken"
unregisterRunners: true
terminationGracePeriodSeconds: 3600
concurrent: 10
checkInterval: 30
## For RBAC support:
rbac:
create: true
## Define specific rbac permissions.
# resources: ["pods", "pods/exec", "secrets"]
# verbs: ["get", "list", "watch", "create", "patch", "delete"]
## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs cluster-wide or only within namespace
clusterWideAccess: false
metrics:
enabled: true
## Configuration for the Pods that that the runner launches for each new job
##
runners:
## Default container image to use for builds when none is specified
##
image: ubuntu:16.04
locked: false
tags: "k8s,dev"
privileged: true
namespace: gitlab
pollTimeout: 180
outputLimit: 4096
cache: {}
## Build Container specific configuration
##
builds: {}
# cpuLimit: 200m memoryLimit: 256Mi cpuRequests: 100m memoryRequests: 128Mi
## Service Container specific configuration
##
services: {}
# cpuLimit: 200m memoryLimit: 256Mi cpuRequests: 100m memoryRequests: 128Mi
## Helper Container specific configuration
##
helpers: {}
securityContext:
fsGroup: 65533
runAsUser: 100
## Configure resource requests and limits ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources: {}
affinity: {}
nodeSelector: {}
tolerations: []
envVars:
name: RUNNER_EXECUTOR
value: kubernetes
## list of hosts and IPs that will be injected into the pod's hosts file
hostAliases: []
podAnnotations: {}
podLabels: {}
- gitlab-runner 与 gitlab.com 成功连接
但是在执行部署步骤时,我在 gitlab 上收到以下消息:
Error: UPGRADE FAILED: query: failed to query with labels: secrets is forbidden: User "system:serviceaccount:gitlab:default" cannot list resource "secrets" in API group "" in the namespace "gitlab"
我检查了我的 RBAC ClusterRules 并且它们都默认设置为动词和资源上的通配符,但我也尝试设置所需的权限:
resources: ["pods", "pods/exec", "secrets"]
verbs: ["get", "list", "watch", "create", "patch", "delete"]
没有任何效果:-(当我做错了?
解决方案
我通过将 runners.serviceAccountName 设置为我在命名空间中创建的具有所有权限的 serviceAccount 解决了同样的问题。
推荐阅读
- java - 如何使用 mockito 以便对对象的任何实例的调用返回固定的东西
- php - 循环遍历值数组并排序
- python - 列表中的Python索引值,返回索引值和列表值
- java - IntelliJ Idea:引入变量后如何停止将光标移动到行尾?
- javascript - 在 node.js 中,如何将二进制数据从 fetch 写入文件?
- c++ - 将静态库与 -nostdlib 链接时出现“对 __dso_handle 的未定义引用”
- php - 如何在PHP中自动插入可编辑数据表
- arrays - 关于行的“正值岛”中元素的位置
- typescript - 如何在 Typescript 中定义递归字符串文字类型
- android - Android Kotlin NavigationView 将角半径添加到项目图标