Home > Net >  jenkins service account with helm
jenkins service account with helm

Time:09-10

I have recently spin up a jenkins environment using the helm charts on azure AKS cluster. now I am using the same code to spinup another one in a new name space but I am getting the service account error and also the error specifying that the clusterrole file has old jenkins namespace

here is the error

kubectl apply -f jenkins-cluster-role.yaml -n sre-jenkins-dev
W0909 17:42:34.605675  801724 azure.go:92] WARNING: the azure auth plugin is deprecated in v1.22 , unavailable in v1.25 ; use https://github.com/Azure/kubelogin instead.
To learn more, consult https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
the namespace from the provided object "g2-jenkins-azure-test" does not match the namespace "sre-jenkins-dev". You must pass '--namespace=g2-jenkins-azure-test' to perform this operation.
Error from server (Forbidden): error when creating "jenkins-cluster-role.yaml": roles.rbac.authorization.k8s.io "jenkins" is forbidden: user "[email protected]" (groups=["eb23396d-dcda-447c-9170-a0c8076a357b" "18280a4d-d1a0-4803-9564-25b39ea976c9" "b19da962-807b-4c70-bec1-a9bd398994ef" "9a454ebc-a834-47cc-bf30-32cf5da2e7b8" "4cfe3d3c-7451-43f5-9383-9aaa8c3e3eec" "ffd08d90-cfde-41ed-8f5b-4ad552d6d4f2" "326b0833-06dc-48cc-901b-cd5a2c8f2f55" "f09c0918-f30d-49a3-8ee1-9b4c31b46a1d" "8583bf39-6097-4bfe-adb3-52ddc83d74df" "0049b45e-dd3d-4a5a-84a2-d47c77623fa9" "db332df0-189a-414f-bf85-f3d6da181f73" "baf28916-b1b6-4609-b839-a3a38a81d8f8" "7ac723f7-479a-40d4-948d-07aedd81fa22" "ea3fb65b-a24c-4dfb-ab15-261bc98e2008" "5e400bf8-854a-4968-b4bf-4036f3f227ec" "beebf838-9f8e-49af-91c9-b91599d7b928" "159bac4e-e9b2-4587-9e39-08976afab258" "f27c1c64-110d-41b9-968c-ca2baa1f6bdb" "0664a662-b3ec-4969-966c-900128c3e85e" "64db4962-6503-4d2d-93dc-62928ac02562" "875e26db-7a9b-4bba-bf78-3f3ae4652848" "a0536271-ab4a-455b-804f-53becf90ef79" "5b51592a-0305-4b68-b2a9-3fc6b63d00fb" "a87d8090-de3e-4974-9570-e0fba1106d44" "7383ebba-042e-4d69-aac2-e2b1d92a7f18" "624dd31c-5548-432e-9dde-494eadf39e5e" "bf717ac9-a0f4-4720-89e5-5f8ec06b63a8" "bd50316a-4c76-42cc-b6c2-16792094786b" "e74d47ca-3dcb-441f-8549-ee65899d7cea" "6585b549-328b-4c32-8ec8-533dc9956e98" "bc7b23dd-3452-4295-a903-406d47eb4970" "f424563a-c5e9-450e-abad-b77d514e20f5" "d1dcc687-242d-4dd4-8d2e-d92f8d66005f" "3601d0bb-3ff4-45b4-9281-68db2759e4db" "a173c05b-3d27-44f7-8939-0af71b6eb55e" "cc333aa8-7152-4aff-a061-da78d8132f46" "99a22687-d2c1-4963-9b86-1c713312deac" "a753b813-13d6-404c-b6ef-0175b17a71e1" "11c29681-2551-45b9-aecf-af947ba88d00" "b82a1cd3-ac29-4bd1-becb-1a4313984e16" "9828c9b5-c97b-40d9-868d-fd546f3d5e37" "20f9f732-081b-4e20-a4b4-06f55ce0c26b" "5710f504-a982-4968-b028-1cc25dea02a8" "354f5248-72a5-4cca-8758-13735c3ce390" "928129ad-2208-4664-b4da-aeece6a9d3e4" "8385d31c-a71c-4633-91bd-b6974c97c2ef" "44bfa9e9-3b9e-4d6c-9cec-867431aa8ae1" "0babda33-ce55-4a65-8448-c24b7fafc54c" "479cd609-a176-47b3-be7c-bc944dfe80dc" "cf765676-62be-4684-aabb-1ef226e37d54" "12ea7b35-2cd4-4312-aa2d-9825bddba29d" "df5432c9-2567-4b6a-af28-d500321a4aaa" "4d068cf0-633b-46da-a42f-fc50385a8933" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:[""], Resources:["nodes"], Verbs:["get" "list" "watch" "update"]}
{APIGroups:["*"], Resources:["configmaps"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["cronjobs"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["daemonsets"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["deployments"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["deployments/scale"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["endpoints"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["events"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["jobs"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["namespaces"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["persistentvolumeclaims"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["persistentvolumes"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["poddisruptionbudget"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["podpreset"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["pods"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["pods/exec"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["pods/log"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["podsecuritypolicies"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["podtemplates"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["replicasets"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["replicationcontrollers"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["secrets"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["services"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
{APIGroups:["*"], Resources:["statefulsets"], Verbs:["create" "get" "watch" "delete" "list" "patch" "update"]}
Error from server (NotFound): error when creating "jenkins-cluster-role.yaml": roles.rbac.authorization.k8s.io "jenkins" not found

here is the clusterrole file for this

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
  namespace: sre-jenkins-dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: jenkins
rules:
- apiGroups:
  - '*'
  resources:
  - statefulsets
  - services
  - replicationcontrollers
  - replicasets
  - podtemplates
  - podsecuritypolicies
  - pods
  - pods/log
  - pods/exec
  - podpreset
  - poddisruptionbudget
  - persistentvolumes
  - persistentvolumeclaims
  - jobs
  - endpoints
  - deployments
  - deployments/scale
  - daemonsets
  - cronjobs
  - configmaps
  - namespaces
  - events
  - secrets
  verbs:
  - create
  - get
  - watch
  - delete
  - list
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts:jenkins

Thank you

CodePudding user response:

It looks like the user "[email protected]" doesn't have all the permission he is assigning to the Service Account. In short, you cant assign those permission to an account that you don't have.

CodePudding user response:

The error revolve on the user permission

Error from server (Forbidden): error when creating "jenkins-cluster-role.yaml": roles.rbac.authorization.k8s.io "jenkins" is forbidden: user "[email protected]"

You can follow this link Kubernetes Service Account Descriptor for more details

  • Related