Cannot extend default service account permissions with RBAC

Jonny · October 9, 2020, 11:00am

Hello. I’m trying to setup CI for a GKE cluster. I’m using default Gitlab-managed integration, and this works fine. But I also need some extended rights for default Gitlab’s service account, and there I got a problems.

I need to create PVC during deploy, and I’m getting the next errors:

Error from server (Forbidden): error when retrieving current configuration of:
Resource: "storage.k8s.io/v1, Resource=storageclasses", GroupVersionKind: "storage.k8s.io/v1, Kind=StorageClass"
Name: "faster", Namespace: ""
from server for: ".k8s_build/volumes/volume.class.yaml": storageclasses.storage.k8s.io "faster" is forbidden: **User "system:serviceaccount:k8s-cluster-20920413-ci:k8s-cluster-20920413-ci-service-account" cannot get resource "storageclasses" in API group "storage.k8s.io" at the cluster scope**
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=persistentvolumes", GroupVersionKind: "/v1, Kind=PersistentVolume"
Name: "volume", Namespace: ""
from server for: ".k8s_build/volumes/volume.persistent.yaml": persistentvolumes "volume" is forbidden: **User "system:serviceaccount:k8s-cluster-20920413-ci:k8s-cluster-20920413-ci-service-account" cannot get resource "persistentvolumes" in API group "" at the cluster scope**

I’m fully stuck. I tried all RBAC configurations I found and invented, and all was just ignored by the runner. I really don’t understand what else I can do for the runner. I haven’t worked with RBAC before, and, likely, missed something. Here my last version of RBAC configuration:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gitlab-admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
rules:
  - apiGroups:
      - ""
    resources:
      - nodes
      - persistentvolumes
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - storage.k8s.io"]
    resources:
      - storageclasses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: gitlab-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gitlab-admin
subjects:
  - kind: ServiceAccount
    namespace: k8s-cluster-20920413-ci
    name: k8s-cluster-20920413-ci-service-account

Regards

Jonny · October 13, 2020, 6:47pm

Problem taken place due to lack of “patch” permission in “verbs”. My fail

Topic		Replies	Views
How do I apply RBAC permissions to service accounts created by Gitlab? Infrastructure as Code & Cloud Native ci , kubernetes	2	2763	July 7, 2021
GitLab k8s runner - creating namespaces in RBAC Infrastructure as Code & Cloud Native runner , kubernetes	1	2144	June 3, 2022
Missing rights for k8s project serviceaccount on CRDs Infrastructure as Code & Cloud Native ci , kubernetes	2	1755	February 19, 2019
Add K8S api group to Service Account when deploying GitLab CI/CD	2	560	May 16, 2021
Kubernetes + own k8s cloud = the server could not find the requested resource GitLab CI/CD	2	2485	May 16, 2018

Cannot extend default service account permissions with RBAC

Related topics