User "system:serviceaccount:gitlab-runner:default" cannot list resource "events" in API group "" in the namespace "gitlab-runner"

huangapple go评论126阅读模式
英文:

User "system:serviceaccount:gitlab-runner:default" cannot list resource "events" in API group "" in the namespace "gitlab-runner"

问题

我正在尝试在我的AWS EKS集群上设置GitLab Runner。我已成功创建了命名空间,没有任何问题。但是,当我触发GitLab CI/CD流水线时,我收到以下错误消息:

ERROR: Error retrieving events list: events is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot list resource "events" in API group "" in the namespace "gitlab-runner".

这是我的gitlab-runner-role.yaml文件:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gitlab-runner
  namespace: gitlab-runner
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/exec", "pods/log", "pods/attach", "secrets", "events"]
    verbs: ["list", "get", "watch", "create", "delete", "update"]

有关为何出现此错误以及如何解决该问题的任何帮助将不胜感激。

英文:

i am trying to setup gitlab runner with my aws eks cluster. I have been able to create the namesapces without any problem. However, when i trigger the gitlab cicd pipeline i get the following below error

ERROR: Error retrieving events list: events is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot list resource "events" in API group "" in the namespace "gitlab-runner".

Here is my gitlab-runner-role.yaml file

piVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gitlab-runner
  namespace: gitlab-runner
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/exec", "pods/log", "pods/attach", "secrets", "events"]
    verbs: ["list", "get", "watch", "create", "delete", "update"]

Any help on why i am getting this error and how i can fix the issue

答案1

得分: 1

需要创建绑定以将服务账户附加到角色

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gitlab-runner-rolebinding
  namespace: gitlab-runner
subjects:
  - kind: ServiceAccount
    name: gitlab-runner
    namespace: default
roleRef:
  kind: Role
  name: gitlab-runner
  apiGroup: rbac.authorization.k8s.io

您可以通过以下方式进行检查

kubectl auth can-i list events --as=system:serviceaccount:default:gitlab-runner
英文:

need to create binding to attach service account to role

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gitlab-runner-rolebinding
  namespace: gitlab-runner
subjects:
  - kind: ServiceAccount
    name: gitlab-runner
    namespace: default
roleRef:
  kind: Role
  name: gitlab-runner
  apiGroup: rbac.authorization.k8s.io

you can check via

kubectl auth can-i list events --as=system:serviceaccount:default:gitlab-runner

答案2

得分: 1

这似乎是GitLab 16.2的新情况 - 在将运行程序升级到最新版本之前,我们以前没有这个问题。

对于我们的运行程序,我只是在我们的Helm图表值文件中添加了"events"(在rbac - rules - resources部分),然后执行了helm upgrade来应用这些更改。

英文:

This seems to be something new with GitLab 16.2 - we didn't have this problem before we upgraded the runners to the latest version.

For our runners, I just added "events" to our helm chart values file (the rbac - rules - resources section) and did a helm upgrade to apply the changes.

huangapple
  • 本文由 发表于 2023年8月4日 07:10:38
  • 转载请务必保留本文链接:https://go.coder-hub.com/76832087.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定