无法在 Kubernetes 集群中执行 GitLab Runner：无法在命名空间 "gitlab" 中的 API 组“”中创建资源 "secrets"

Question

目前我遇到的问题：

ERROR: Job failed (system failure): 
prepare environment: 
setting up credentials: 
secrets is forbidden: 
User "system:serviceaccount:default:gitlab-runner" cannot create
resource "secrets" in API group "" in the namespace "gitlab"` 
after following the official documentation on how to integrate the GitLab Runner.

我正在使用以下 runner-chart-values.yaml:

# The GitLab Server URL (with protocol) that want to register the runner against
# ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
#
gitlabUrl: http://example.domain/

# The Registration Token for adding new runners to the GitLab Server. This must
# be retrieved from your GitLab instance.
# ref: https://docs.gitlab.com/ce/ci/runners/README.html
#
runnerRegistrationToken: "<token>"

# For RBAC support:
rbac:
    create: true
    rules:
      - apiGroups: ["*"]

# Run all containers with the privileged flag enabled
# This will allow the docker:dind image to run if you need to run Docker
# commands. Please read the docs before turning this on:
# ref: https://docs.gitlab.com/runner/executors/kubernetes.html#using-dockerdind
runners:
    privileged: true

有什么线索吗？

非常感谢！

Answer 1

看起来命名空间不匹配，但是您可以尝试下面的选项

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gitlab-runner
  namespace: gitlab-runner
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "get", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]

确保您正在为正确的命名空间创建 Role 的服务帐户。

创建角色绑定的命令

kubectl create rolebinding --namespace=gitlab-runner gitlab-runner-binding --role=gitlab-runner --serviceaccount=gitlab-runner:default

这里有很好的文档：https://medium.com/@ruben.laguna/installing-a-gitlab-runner-on-kubernetes-ac386c924bc8

Answer 2

扩展 Harsh 的回答：请确保您在活动的 'gitlab-runner' 命名空间下工作或使用密钥 --namespace=gitlab-runner。要在活动命名空间之间切换，请使用以下命令：

kubens gitlab-runner

所以你不需要每次都使用--namespace=gitlab-runner。

仅供参考，我已经完成了关于我的 k8s 集群的文章中的步骤，它对我来说工作正常。

Answer 3

对我来说，添加所有必要的角色是唯一真正有用的解决方案。

这里是对应的runner-chart-values.yaml文件：

## GitLab Runner Image
gitlabUrl: http://example.domain/
runnerRegistrationToken: "<token>"

rbac:
  create: true
  rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["list", "get", "watch", "create", "delete"]
    - apiGroups: [""]
      resources: ["pods/exec"]
      verbs: ["create"]
    - apiGroups: [""]
      resources: ["pods/log"]
      verbs: ["get"]
    - apiGroups: [""]
      resources: ["pods/attach"]
      verbs: ["list", "get", "create", "delete", "update"]
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["list", "get", "create", "delete", "update"]      
    - apiGroups: [""]
      resources: ["configmaps"]
      verbs: ["list", "get", "create", "delete", "update"]      

runners:
  privileged: true

Answer 4

这里是使用Helm的完整解决方案，我复制了Richard in 提出的权利。

使用以下模板 (gitlab-rbac/templates) 我们可以使用以下方式修补给定的命名空间：

helm upgrade -i gitlab-rbac-name ./gitlab-rbac \
-n your-namespace-here --create-namespace

安装后，您可以通过以下方式检查您当前的权限：

kubectl auth can-i create secrets --as=system:serviceaccount:gitlab:default \
-n your-namespace-here

模板 gitlab-rbac/templates/rbac.yaml 包含以下内容：

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ .Release.Namespace }}-admin
  namespace: {{ .Release.Namespace }}
rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["list", "get", "watch", "create", "delete"]
    - apiGroups: [""]
      resources: ["pods/exec"]
      verbs: ["create"]
    - apiGroups: [""]
      resources: ["pods/log"]
      verbs: ["get"]
    - apiGroups: [""]
      resources: ["pods/attach"]
      verbs: ["list", "get", "create", "delete", "update"]
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["list", "get", "create", "delete", "update"]      
    - apiGroups: [""]
      resources: ["configmaps"]
      verbs: ["list", "get", "create", "delete", "update"]  
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gitlab-runner-{{ .Release.Namespace }}-admin
  namespace: {{ .Release.Namespace }}
subjects:
  - kind: ServiceAccount
    name: default
    namespace: gitlab
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ .Release.Namespace }}-admin

请注意，您可能需要为您的跑步者提供更多权利，您可能需要根据您的管道更新规则。例如，如果您允许您的模板创建命名空间，您将需要为此添加一个集群范围的角色。这意味着在模板文件中添加以下内容：

# ... Role and RoleBinding templates
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-admin
rules:
  - apiGroups: ['']
    resources: ['namespaces']
    verbs: ['create']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gitlab-runner-namespace-admin
subjects:
  - kind: ServiceAccount
    name: default
    namespace: gitlab
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: namespace-admin

值 (gitlab-rbac/values.yaml) 文件在此示例中为空，因为我们仅使用命名空间参数。

无法在 Kubernetes 集群中执行 GitLab Runner：无法在命名空间 "gitlab" 中的 API 组“”中创建资源 "secrets"

Not able to execute GitLab Runner in Kubernetes cluster: cannot create resource "secrets" in API group "" in the namespace "gitlab"

gitlab

docker

gitlab-ci

kubernetes

gitlab-ci-runner