When RBAC is set to true, the deployment does not use service account created instead it uses default one.

The runner tries to use default service account in the namespace, instead of the service account created.

Error from server (Forbidden): error when retrieving current configuration of: Resource: "/v1, Resource=pods", GroupVersionKind: "/v1, Kind=Pod" Name: "ka-pod", Namespace: "gitlab-runner" from server for: "mypod.yaml": pods "ka-pod" is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot get resource "pods" in API group "" in the namespace "gitlab-runner" ERROR: Job failed: command terminated with exit code 1

Can be fixed by updating _env_vars.tpl with the else part as given below.

{{- if .Values.runners.serviceAccountName }}

• name: KUBERNETES_SERVICE_ACCOUNT value: {{ .Values.runners.serviceAccountName | quote }} {{- else }}
• name: KUBERNETES_SERVICE_ACCOUNT value: {{ include "gitlab-runner.fullname" . }} {{- end }}

$ cat mypod.yaml apiVersion: v1 kind: Pod metadata: name: ka-pod namespace: gitlab-runner spec: containers:

• name: ka-pod-test command: ["/bin/bash", "-c", "sleep 2000000000000"] image: centos/tools imagePullPolicy: IfNotPresent resources: limits: memory: "300Mi" cpu: 500m requests: memory: "300Mi" cpu: 500m

$ cat .gitlab-ci.yml stages: - deploy

pod_deploy: stage: deploy before_script: - apt update - apt upgrade - apt install curl -y - curl -LO https://dl.k8s.io/release/v1.23.0/bin/linux/amd64/kubectl - install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl script: - kubectl apply -f mypod.yaml tags: - glr1