I was trying to export the node’s CIDR and External IP addresses so I can indentify where the request was coming from.
In the Deploy step, I’ve added the following command:
export K8S_NODES_CIDRS=$(kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}') # collapsed multi-line command
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:[ZIPPED]-70olbd:[ZIPPED]-70olbd-service-account" cannot list resource "nodes" in API group "" at the cluster scope
Is there a way to set the service account permissions during deploy?
Ok, I solved it. I need to create a ClusterRole with ClusterRoleBindings. For future reference, the following config will ALLOW ALL ServiceAccounts to have get, list, watch permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nodes-view
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nodes-view-binding
subjects:
- kind: Group
name: system:serviceaccounts
roleRef:
kind: ClusterRole
name: nodes-view
apiGroup: rbac.authorization.k8s.io
That’s my current solution.
Since GitLab creates serviceaccount when deploying with name patterns like system:serviceaccount:<namespace>
. I can’t find a good way to match these specific accounts. So I have to allow all service accounts for now.
Maybe someone can help me with this?