Cannot extend default service account permissions with RBAC

Infrastructure as Code & Cloud Native
, ,
1

Hello. I’m trying to setup CI for a GKE cluster. I’m using default Gitlab-managed integration, and this works fine. But I also need some extended rights for default Gitlab’s service account, and there I got a problems.

I need to create PVC during deploy, and I’m getting the next errors:

Error from server (Forbidden): error when retrieving current configuration of:
Resource: "storage.k8s.io/v1, Resource=storageclasses", GroupVersionKind: "storage.k8s.io/v1, Kind=StorageClass"
Name: "faster", Namespace: ""
from server for: ".k8s_build/volumes/volume.class.yaml": storageclasses.storage.k8s.io "faster" is forbidden: **User "system:serviceaccount:k8s-cluster-20920413-ci:k8s-cluster-20920413-ci-service-account" cannot get resource "storageclasses" in API group "storage.k8s.io" at the cluster scope**
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=persistentvolumes", GroupVersionKind: "/v1, Kind=PersistentVolume"
Name: "volume", Namespace: ""
from server for: ".k8s_build/volumes/volume.persistent.yaml": persistentvolumes "volume" is forbidden: **User "system:serviceaccount:k8s-cluster-20920413-ci:k8s-cluster-20920413-ci-service-account" cannot get resource "persistentvolumes" in API group "" at the cluster scope**

I’m fully stuck. I tried all RBAC configurations I found and invented, and all was just ignored by the runner. I really don’t understand what else I can do for the runner. I haven’t worked with RBAC before, and, likely, missed something. Here my last version of RBAC configuration:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gitlab-admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
rules:
  - apiGroups:
      - ""
    resources:
      - nodes
      - persistentvolumes
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - storage.k8s.io"]
    resources:
      - storageclasses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: gitlab-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gitlab-admin
subjects:
  - kind: ServiceAccount
    namespace: k8s-cluster-20920413-ci
    name: k8s-cluster-20920413-ci-service-account

Regards

2

Problem taken place due to lack of “patch” permission in “verbs”. My fail :slight_smile: