Checks
Controller Version
0.9.3
Deployment Method
Helm
Checks
To Reproduce
HI,
when you use the
,,,
containerMode:
type: "kubernetes"
,,,
Try to push some file to S3 " An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied"
Describe the bug
the helm beaver is to create Service account and use it in RoleBinding its using its "new" role , this role dont have and will not have permissions , this issue is limit the use of the container and we cant push or use the pods to access aws serivces ( yes we can add access and secret ) but its missing the point of using roles
containerMode:
type: "kubernetes"
i am not sure why we cant use are role that we set in the controller to all the workers ? , i did see in the "RoleBinding" you bind it to the " controller " service account but its transparent to the pods .
in my debug path it try to add the above to my pods
template:
spec:
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXXX:role/gha-runner
serviceAccountName: gha-runner
containers:
- name: runner
image: XXXXXXXXXX
imagePullPolicy: Always
command: ["/home/runner/run.sh"]
resources:
limits:
cpu: 2000m
memory: 8Gi
requests:
cpu: 1000m
memory: 4Gi
securityContext:
privileged: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: service
operator: In
values:
- gha-run
in this test i see the pods have all the access needs but its get access issues
Error: Error: The Service account needs the following permissions [{"group":"","verbs":["get","list","create","delete"],"resource":"pods","subresource":""},{"group":"","verbs":["get","create"],"resource":"pods","subresource":"exec"},{"group":"","verbs":["get","list","watch"],"resource":"pods","subresource":"log"},{"group":"batch","verbs":["get","list","create","delete"],"resource":"jobs","subresource":""},{"group":"","verbs":["create","delete","get","list"],"resource":"secrets","subresource":""}] on the pod resource in the 'gha-runner' namespace. Please contact your self hosted runner administrator.
i cant understand the error as its use the role that have all the access he needs ( i know its expecting different role ) i am not sure why i cant "overwrite " it
controler config
replicaCount: 1
image:
repository: "ghcr.io/actions/gha-runner-scale-set-controller"
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: ""
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::XXXXXXX:role/gha-runner"
name: "vu-dev-gha-runner"
flags:
logLevel: "debug"
logFormat: "json"
watchSingleNamespace: "gha-runner"
updateStrategy: "immediate"Describe the expected behavior
N/A
Additional Context
Controller Logs
Runner Pod Logs
Checks
Controller Version
0.9.3
Deployment Method
Helm
Checks
To Reproduce
Describe the bug
the helm beaver is to create Service account and use it in RoleBinding its using its "new" role , this role dont have and will not have permissions , this issue is limit the use of the container and we cant push or use the pods to access aws serivces ( yes we can add access and secret ) but its missing the point of using roles
i am not sure why we cant use are role that we set in the controller to all the workers ? , i did see in the "RoleBinding" you bind it to the " controller " service account but its transparent to the pods .
in my debug path it try to add the above to my pods
in this test i see the pods have all the access needs but its get access issues
i cant understand the error as its use the role that have all the access he needs ( i know its expecting different role ) i am not sure why i cant "overwrite " it
controler config
Describe the expected behavior
N/A
Additional Context
N/AController Logs
Runner Pod Logs