Turn on Legacy authorization for new clusters on GKE
Description
Kubernetes clusters on GKE are now created with Legacy authorization disabled by default. This prevents the installation of the applications managed by GitLab in CI/CD > Kubernetes, giving the following error:
Something went wrong while installing Helm Tiller
Kubernetes error: namespaces "gitlab-managed-apps" is forbidden: User "system:serviceaccount:default:default" cannot get namespaces in the namespace "gitlab-managed-apps": Unknown user "system:serviceaccount:default:default"
Proposal
Enable Legacy authorization when creating a new cluster on GKE using the GitLab UI. In this way, the old behavior is restored and the current implementation can work again.
Related
In the future we want to fully support RBAC authorization, so we can also disable Legacy authorization: https://gitlab.com/gitlab-org/gitlab-ce/issues/29398
Original description
I needed to manually create a rolebinding in my self hosted kubernetes cluster before gitlab can install helm/ingress.
The following error was reported by gitlab:
error installing: deployments.extensions is forbidden: User "system:serviceaccount:gitlab-managed-apps:default" cannot create deployments.extensions in the namespace "gitlab-managed-apps"Screen Shot of Error Message
Steps to reproduce
Connect CI/CD pipeline to existing kubernetes cluster via Clusters menu.
Fix
kubectl create clusterrolebinding gitlab-managed-apps-cluster-role --clusterrole=cluster-admin --serviceaccount=gitlab-managed-apps:default --namespace=gitlab-managed-apps
Then refresh and click install again :)