version 10.3.0-rc.1 doesn't use kubernetes credentials to talk to Kubernetes API
Summary
gitlab runner with kubernetes executor doesn't seem to use serviceaccount token to talk to APIServer and therefore receives "401 Unauthorized" responses
Steps to reproduce
start gitlab-runner 10.3.0-rc1 with following config
concurrent = 10
check_interval = 5
log_level = "info"
[[runners]]
name = "main-gitlab-runner-856889b6c6-q2xdf"
url = "http://main-gitlab.ci:8005/"
token = "XXXXX"
executor = "kubernetes"
clone_url = "http://main-gitlab.ci:8005/"
[runners.cache]
[runners.kubernetes]
bearer_token_overwrite_allowed = false
image = "gcr.io/google_containers/hyperkube:v1.9.0-beta.2"
namespace = "ci"
namespace_overwrite_allowed = "^(dev|stag|prod)$"
privileged = false
service_account = "gitlab-executor"
service_account_overwrite_allowed = "^(gitlab-executor-clusteradmin)$"
[runners.kubernetes.pod_labels]
"gitlab.com/ci" = "true"
"gitlab.com/job-id" = "${CI_JOB_ID}"
"gitlab.com/project-path" = "${CI_PROJECT_PATH_SLUG}"
[runners.kubernetes.volumes]
Actual behavior
Relevant logs and/or screenshots
runner log:
Starting multi-runner from /etc/gitlab-runner/config.toml ... builds=0
Running in system-mode.
Configuration loaded builds=0
Metrics server disabled
Checking for jobs... received job=54 repo_url=https://gitlab.ci.XXXXX/apps/login.git runner=94abc247
ERROR: Job failed (system failure): Unauthorized job=54 project=3 runner=94abc247
ERROR: Error cleaning up secrets: resource name may not be empty job=54 project=3 runner=94abc247
Also audit log on the apiserver:
{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2017-12-12T11:25:06Z"},"level":"Metadata","timestamp":"2017-12-12T11:25:06Z","auditID":"0196d9a5-c6ed-4250-aa7d-64ef7065b379","stage":"ResponseStarted","requestURI":"/api/v1/namespaces/stag/secrets","verb":"create","user":{},"sourceIPs":["10.1.44.98"],"objectRef":{"resource":"secrets","namespace":"stag","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}}
Environment description
Self hosted Gitlab setup in Kubernetes cluster. gitlab runner runs using it's own service account.
Used GitLab Runner version
/ # gitlab-runner --version
Version: 10.3.0-rc.1
Git revision: 2b6b3b44
Git branch: 10-3-stable
GO version: go1.8.5
Built: Mon, 11 Dec 2017 10:29:04 +0000
OS/Arch: linux/amd64
Edited by Maxim Ivanov