Jenkins deployment with Kubernetes plugin does not have cluster access using RBAC #1092
Comments
Is this required for the kubernetes plugin to spin up new slaves? I think I just ran into the same issue.
|
Which service account is the plugin using? Is it possible to specify a different service account to use for the kubernetes plugin? It does not seem to give that option when I add a |
You can create a service account like this with rbac enabled. I don't think it needs cluster-admin but I haven't narrowed it down. https://gist.github.com/lachie83/17c1fff4eb58cf75c5fb11a4957a64d2 Then go configure k8s service account credentials in Jenkins and update the credentials config under the cloud section. |
I confirm this works. Created the SA manually and assigned it to the Jenkins configuration. Will this be integrated to the chart? |
I feel that service account provisioning and configuration is outside the scope of a chart. You would also need to automate the create of the credentials inside Jenkins which we're currently not doing. I think the best step forward is to document the setup steps in the readme. |
I think this is reasonable and can be made conditional. See linked PR |
@carlosedp Would this be helpful? |
Yes, absolutely @lachie83. Thanks! |
* Introduce AlwaysPullImage value for testing custom Docker slave images * Add volumes for Agents * jenkins: version bump * Missing Volume.Type. Good catch :) * Add service account and CRB for RBAC enabled clusters Closes helm#1092 * [stable/jenkins] Added nodeselector support for Jenkins * Bump chart version number * Document new values in README.md * jenkins: bump chart version * Update Jenkins and plugins to latest versions * Do not expose the agent port on LB * Fix agent tunnel config
* Introduce AlwaysPullImage value for testing custom Docker slave images * Add volumes for Agents * jenkins: version bump * Missing Volume.Type. Good catch :) * Add service account and CRB for RBAC enabled clusters Closes helm#1092 * [stable/jenkins] Added nodeselector support for Jenkins * Bump chart version number * Document new values in README.md * jenkins: bump chart version * Update Jenkins and plugins to latest versions * Do not expose the agent port on LB * Fix agent tunnel config
Hello @carlosedp @lachie83 !
while the helm chart creates a service account like: jenkins-jenkins |
I just tried the fix that @lachie83 mentions in Gist. I then created the kubernetes service account as jenkins. When I go and update the configuration and test it, I get the following error:
Any ideas, what I could to do more to find out what is going on? |
How do you configure the plugin to use a specific Service Account that's been created for jenkins?
|
I followed the steps here: https://www.blazemeter.com/blog/how-to-setup-scalable-jenkins-on-top-of-a-kubernetes-cluster However when setting up the connection to the Kubernetes URL in the Cloud configuration I would receive the error mentioned previously:
I was able to run the command listed by @carlosedp and I was able to connect successfully:
|
The commands below will allow permission for all service accounts of cluster: The official documentation of Kubernetes, not approve this practice: Use this permissive binding for only namespace which the jenkins was deployed: i.e jenkins, kubernetes-plugin example: Therefore, the commands above will allow only permissions to serviceaccounts inside of the namespace which you specified. |
* Introduce AlwaysPullImage value for testing custom Docker slave images * Add volumes for Agents * jenkins: version bump * Missing Volume.Type. Good catch :) * Add service account and CRB for RBAC enabled clusters Closes helm#1092 * [stable/jenkins] Added nodeselector support for Jenkins * Bump chart version number * Document new values in README.md * jenkins: bump chart version * Update Jenkins and plugins to latest versions * Do not expose the agent port on LB * Fix agent tunnel config
I've deployed the Jenkins chart that comes bundled with the Jenkins Kubernetes plugin but the plugin needs cluster access to create it's test pods.
Since the chart is deployed with the default serviceaccount, I need to grant full access to all serviceaccounts to the cluster with the command:
kubectl create clusterrolebinding permissive-binding --clusterrole=cluster-admin --user=admin --user=kubelet --group=system:serviceaccounts
It would be better if Jenkins could be deployed with a specific account and grant the cluster-admin role just to it.
The text was updated successfully, but these errors were encountered: