use*_*888 5 continuous-integration pipeline gitlab kubernetes
我有一个 kubernetes 集群(rancherOS & RKE),它有一个正在运行的 gitlab runner pod。连接到我的 GitLab 实例工作正常。
如果我激活管道,它会直接失败并显示以下错误:
Running with gitlab-runner 11.4.2 (cf91d5e1)
on Kubernetes Runner e5e25776
Using Kubernetes namespace: gitlab-managed-apps
Using Kubernetes executor with image ubuntu:latest ...
ERROR: Job failed (system failure): pods is forbidden: User "system:serviceaccount:gitlab-managed-apps:default" cannot create pods in the namespace "gitlab-managed-apps"
这是我的 gitlab-runner 部署 yaml:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: gitlab-runner
namespace: gitlab-managed-apps
spec:
replicas: 1
selector:
matchLabels:
name: gitlab-runner
template:
metadata:
labels:
name: gitlab-runner
spec:
containers:
- args:
- run
image: gitlab/gitlab-runner:latest
imagePullPolicy: Always
name: gitlab-runner
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/gitlab-runner
name: config
- mountPath: /etc/ssl/certs
name: cacerts
readOnly: true
restartPolicy: Always
volumes:
- configMap:
name: gitlab-runner
name: config
- hostPath:
path: /usr/share/ca-certificates/mozilla
name: cacerts
hostNetwork: true
我尝试使用参数“privileged: true”添加安全上下文,但这无济于事。
有没有人知道如何授予 gitlab-runner 部署在命名空间“gitlab-managed-apps”中创建其他 pod 的正确权限?
非常感谢 :)
小智 7
您的服务帐户缺乏权限。我在创建秘密时也遇到过类似的问题。
您无需填写任何额外文件即可授予访问权限,只需借助kubectl. default您应该创建角色绑定,即为命名空间中的服务帐户授予角色。此处提供了完整的描述。
在您的情况下,命令将如下所示:
kubectl create rolebinding default-view --clusterrole=edit --serviceaccount=gitlab-managed-apps:default --namespace=gitlab-managed-apps
在您的部署 yaml 中,您没有添加,这意味着它使用您的部署命名空间中名为 的spec.template.spec.serviceAccountName默认服务帐户。并且没有规则根据你指定的错误来创建pod。defaultgitlab-managed-appsrbac
有关详细信息,请参阅https://kubernetes.io/docs/reference/access-authn-authz/rbac/。
有不止一种方法可以解决这个问题。这是一个:
首先创建一个rbac规则并将其绑定到一个serviceaccount。下面是一个例子:
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab
namespace: gitlab-managed-apps
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: gitlab-managed-apps
name: gitlab
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gitlab
namespace: gitlab-managed-apps
subjects:
- kind: ServiceAccount
name: gitlab # Name is case sensitive
apiGroup: ""
roleRef:
kind: Role #this must be Role or ClusterRole
name: gitlab # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
然后编辑您的部署 yaml 以添加以下内容serviceaccount:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: gitlab-runner
namespace: gitlab-managed-apps
spec:
replicas: 1
selector:
matchLabels:
name: gitlab-runner
template:
metadata:
labels:
name: gitlab-runner
spec:
serviceAccountName: gitlab
containers:
- args:
- run
image: gitlab/gitlab-runner:latest
imagePullPolicy: Always
name: gitlab-runner
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/gitlab-runner
name: config
- mountPath: /etc/ssl/certs
name: cacerts
readOnly: true
restartPolicy: Always
volumes:
- configMap:
name: gitlab-runner
name: config
- hostPath:
path: /usr/share/ca-certificates/mozilla
name: cacerts
hostNetwork: true
然后部署您的 gitlab 实例和其他您需要的东西。
| 归档时间: |
|
| 查看次数: |
4651 次 |
| 最近记录: |