I configured a gitlab ci yaml file that has 2 stages, build and deploy, the build stage consists of building the app in docker and pushing it to the gitlab container registry. The deploy stage consists of installing k8s and deploying the k8s yaml file in my k8s cluster.
IAfter installing gitlab runner, I created a role and a role binding to give the service account access to the whole cluster. The build stage is working fine. But for the deploy stage it's producing below error:
$ kubectl apply -f k8s.yml
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=namespaces", GroupVersionKind: "/v1, Kind=Namespace"
Name: "test-mig-stage", Namespace: ""
from server for: "k8s.yml": namespaces "test-mig-stage" is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot get resource "namespaces" in API group "" in the namespace "test-mig-stage"
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
Name: "gitlab", Namespace: "test-mig-stage"
from server for: "k8s.yml": secrets "gitlab" is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot get resource "secrets" in API group "" in the namespace "test-mig-stage"
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment"
Name: "test-mig", Namespace: "test-mig-stage"
from server for: "k8s.yml": deployments.apps "test-mig" is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot get resource "deployments" in API group "apps" in the namespace "test-mig-stage"
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=services", GroupVersionKind: "/v1, Kind=Service"
Name: "test-mig-service", Namespace: "test-mig-stage"
from server for: "k8s.yml": services "test-mig-service" is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot get resource "services" in API group "" in the namespace "test-mig-stage"
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "extensions/v1beta1, Resource=ingresses", GroupVersionKind: "extensions/v1beta1, Kind=Ingress"
Name: "test-mig-ingress", Namespace: "test-mig-stage"
from server for: "k8s.yml": ingresses.extensions "test-mig-ingress" is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot get resource "ingresses" in API group "extensions" in the namespace "test-mig-stage"
Running after_script
00:00
Uploading artifacts for failed job
00:00
ERROR: Job failed: command terminated with exit code 1
The role.yaml file:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gitlab-runner
namespace: gitlab-runner
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["list", "get", "watch", "create", "delete", "patch", "update"]
Role binding command:
kubectl create rolebinding --namespace=gitlab-runner gitlab-runner-binding --role=gitlab-runner --serviceaccount=gitlab-runner:default