Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Gitlab CI Pipeline: Cannot create pods in the namespace

Tags:

gitlab

kubernetes

continuous-integration

pipeline

I have a kubernetes cluster (rancherOS & RKE) that has a running gitlab runner pod. Connection to my GitLab instance works fine.

If I activate the pipeline, it directly fails with this error:

Running with gitlab-runner 11.4.2 (cf91d5e1)
  on Kubernetes Runner e5e25776
Using Kubernetes namespace: gitlab-managed-apps
Using Kubernetes executor with image ubuntu:latest ...
ERROR: Job failed (system failure): pods is forbidden: User "system:serviceaccount:gitlab-managed-apps:default" cannot create pods in the namespace "gitlab-managed-apps"

This here is my gitlab-runner deployment yaml:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: gitlab-runner
  namespace: gitlab-managed-apps
spec:
  replicas: 1
  selector:
    matchLabels:
      name: gitlab-runner
  template:
    metadata:
      labels:
        name: gitlab-runner
    spec:
      containers:
      - args:
        - run
        image: gitlab/gitlab-runner:latest
        imagePullPolicy: Always
        name: gitlab-runner
        securityContext:
          privileged: true
        volumeMounts:
        - mountPath: /etc/gitlab-runner
          name: config
        - mountPath: /etc/ssl/certs
          name: cacerts
          readOnly: true
      restartPolicy: Always
      volumes:
      - configMap:
          name: gitlab-runner
        name: config
      - hostPath:
          path: /usr/share/ca-certificates/mozilla
        name: cacerts
      hostNetwork: true

I tried to add a security context with the parameter "privileged: true" but that does not help..

Has anyone an idea on how to grant the gitlab-runner deployment the right permission to create other pods in the namespace "gitlab-managed-apps"?

Thanks a lot :)

like image 863
user7436888 Avatar asked Nov 20 '18 13:11

user7436888

1 Answers

Your service account lacks permissions. A similar issue has happened to me during secrets creation.

You can grant access without having to fulfill any extra files, just with the help of kubectl. You should create a role binding, namely, grant a role to the default service account in a namespace. A full description is provided here.

In your case the command will look like this:

kubectl create rolebinding default-view --clusterrole=edit --serviceaccount=gitlab-managed-apps:default --namespace=gitlab-managed-apps
like image 149
Mariia Abramyk Avatar answered Nov 09 '22 05:11

Mariia Abramyk
Sign in to Comment

Related questions

pod are not getting created in kubernetes but deployment exists?
helm and kubectl context mismatch
How to pass GKE credential to kubernetes provider with Terraform?
Is it possible to have an Ingress point to a Service from another namespace?
How to bind roles with service accounts - Kubernetes
How to delete orphaned replicasets with Kubernetes?
K8s: how to install charts from the Helm Hub
Why ReadWriteOnce is working on different nodes?
The Ingress Controller is not created when running the "minikube addons enable ingress"
How can I specify cron timezone in k8s cron job?
Kubernetes Deployment Hanging
GKE Ingress Basic Authentication (ingress.kubernetes.io/auth-type)
Kubernetes does not pull docker image from private repository without https
How could targetPort be set with string value in kubernetes?
Exposing the hello-minikube service fails to find a port
How to configure a manually provisioned Azure Managed Disk to use as a Kubernetes persistent volume?
Does ClusterIP service distributes requests between replica pods?
GKE extended memory and Kubernetes memory allocatable
How can I specify the spring.profiles.active param with a value from an environment variable using fabric8 maven plugin?
Monitoring pod resource usage on Kubernetes nodes

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!