Runner needs rbac.create to be true
As mentioned in https://gitlab.slack.com/archives/CP784K95Z/p1582805988050700 (internal slack thread), we are missing rbac.create
to be set to true
.
Otherwise the runner pod will run as an unprivileged service account :
ERROR: Job failed (system failure): secrets is forbidden: User "system:serviceaccount:gitlab-managed-apps:default" cannot create resource "secrets" in API group "" in the namespace "gitlab-managed-apps"
The issue is that https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/0fe93ca78a0bba16d20fd3e879db42356ac661bc/values.yaml#L79 is false
by default (most charts are true
).
Proposed fix
Set rbac.create
to true
in https://gitlab.com/gitlab-org/cluster-integration/cluster-applications/-/blob/master/src/default-data/gitlab-runner/values.yaml so that RBAC is default
/cc @atanayno
Edited by Thong Kuah