我想在gitlab管道中的kubernetes的gitlab-runner上使用execute helm。
我的gitlab.ci.yaml:
# Deployment step
deploy:
stage: deploy
image: alpine/helm:latest
script:
- helm --namespace gitlab upgrade initial ./iot/
tags:
- k8s
- dev
我到目前为止所做的:
我的values.yaml:
image: gitlab/gitlab-runner:alpine-v11.6.0
imagePullPolicy: IfNotPresent
gitlabUrl: https://gitlab.com/
runnerRegistrationToken: "mytoken"
unregisterRunners: true
terminationGracePeriodSeconds: 3600
concurrent: 10
checkInterval: 30
## For RBAC support:
rbac:
create: true
## Define specific rbac permissions.
# resources: ["pods", "pods/exec", "secrets"]
# verbs: ["get", "list", "watch", "create", "patch", "delete"]
## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs cluster-wide or only within namespace
clusterWideAccess: false
metrics:
enabled: true
## Configuration for the Pods that that the runner launches for each new job
##
runners:
## Default container image to use for builds when none is specified
##
image: ubuntu:16.04
locked: false
tags: "k8s,dev"
privileged: true
namespace: gitlab
pollTimeout: 180
outputLimit: 4096
cache: {}
## Build Container specific configuration
##
builds: {}
# cpuLimit: 200m memoryLimit: 256Mi cpuRequests: 100m memoryRequests: 128Mi
## Service Container specific configuration
##
services: {}
# cpuLimit: 200m memoryLimit: 256Mi cpuRequests: 100m memoryRequests: 128Mi
## Helper Container specific configuration
##
helpers: {}
securityContext:
fsGroup: 65533
runAsUser: 100
## Configure resource requests and limits ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources: {}
affinity: {}
nodeSelector: {}
tolerations: []
envVars:
name: RUNNER_EXECUTOR
value: kubernetes
## list of hosts and IPs that will be injected into the pod's hosts file
hostAliases: []
podAnnotations: {}
podLabels: {}
但是执行部署步骤时,我在gitlab上收到以下消息:
Error: UPGRADE FAILED: query: failed to query with labels: secrets is forbidden: User "system:serviceaccount:gitlab:default" cannot list resource "secrets" in API group "" in the namespace "gitlab"
我已经检查了我的RBAC ClusterRules,并且默认情况下都将它们全部设置为动词和资源的通配符,但是我也尝试设置所需的权限:
resources: ["pods", "pods/exec", "secrets"]
verbs: ["get", "list", "watch", "create", "patch", "delete"]
没有任何作用:-(当我做错了吗?
我希望我找到了解决这个问题的决定。尝试像这样创建clusterrolebinding
kubectl create clusterrolebinding gitlab-cluster-admin --clusterrole=cluster-admin --group=system:serviceaccounts