ece*_*ulm 3 gitlab-ci kubernetes gitlab-ci-runner
我已在命名空间下的 kubernetes 集群上安装了 GitLab 运行程序gitlab-runner。像这样
# cat <<EOF | kubectl create -f -
{
"apiVersion": "v1",
"kind": "Namespace",
"metadata": {
"name": "gitlab-runner",
"labels": {
"name": "gitlab-runner"
}
}
}
# helm repo add gitlab https://charts.gitlab.io
# cat <<EOF|helm install --namespace gitlab-runner gitlab-runner -f - gitlab/gitlab-runner
gitlabUrl: https://gitlab.mycompany.com
runnerRegistrationToken: "c................Z"
GitLab 运行程序已正确注册到 GitLab 项目,但所有作业都会失败。
快速查看 GitLab 运行程序日志告诉我,GitLab 运行程序使用的服务帐户缺乏适当的权限:
# kubectl logs --namespace gitlabrunner gitlab-runner-gitlab-runner-xxxxxxxxx
ERROR: Job failed (system failure): pods is forbidden: User "system:serviceaccount:gitlabrunner:default" cannot create resource "pods" in API group "" in the namespace "gitlab-runner" duration=42.095493ms job=37482 project=yyy runner=xxxxxxx
gitlab runner kubernetes执行器需要什么权限?
我在GitLab 运行程序文档中找不到权限列表,但我尝试逐一添加权限,并编译了基本功能所需的权限列表。
gitlab 运行程序将使用服务帐户system:serviceaccount:gitlab-runner:default,因此我们需要创建一个角色并将该角色分配给该服务帐户。
# cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gitlab-runner
namespace: gitlab-runner
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
# kubectl create rolebinding --namespace=gitlab-runner gitlab-runner-binding --role=gitlab-runne r --serviceaccount=gitlab-runner:default
将该角色分配给服务帐户后,GitLab 运行者将能够创建、执行和删除 pod,还可以访问日志。
| 归档时间: |
|
| 查看次数: |
7876 次 |
| 最近记录: |