setting up build pod: Timed out while waiting for ServiceAccount/<service_account_name> to be present in the cluster

Question

I am using helm charts to deploy Gitlab Runner into Kubernetes cluster. I want that the created pods when runner is triggered to have a costume services account instead of the default one. I did create role and cluster role and did the role bindings.

However, I am getting the following error when running a CI job

From Gitlab CI

Running with gitlab-runner 15.0.0 (cetx4b)
  on initial-runner -P-d1RhT
Preparing the "kubernetes" executor
00:00
Using Kubernetes namespace: namespace_test
Using Kubernetes executor with image registry.gitlab.com/docker-images/ubuntu-base:latest ...
Using attach strategy to execute scripts...
Preparing environment
00:05
ERROR: Job failed (system failure): prepare environment: setting up build pod: Timed out while waiting for ServiceAccount/gitlab-runner to be present in the cluster. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

list roles and services accounts

# get rolebindings & clusterrolebindings
kubectl get rolebindings,clusterrolebindings -n namespace_test | grep gitlab-runner

# output

# rolebinding.rbac.authorization.k8s.io/gitlab-runner             Role/gitlab-runner
# clusterrolebinding.rbac.authorization.k8s.io/gitlab-runner      ClusterRole/gitlab-runner

---

# get serviceaccounts
kubectl get serviceaccounts -n namespace_test

# output

# NAME                   SECRETS   AGE
# default                1         6h50m
# gitlab-runner          1         24m
# kubernetes-dashboard   1         6h50m
# mysql                  2         6h49m

helm values

runners:
  concurrent: 8
  name: initial-runner
  config: |
    [[runners]]
      [runners.kubernetes]
        namespace = "namespace_test"
        image = "registry.gitlab.com/docker-images/ubuntu-base:latest"
        service_account = "gitlab-runner"
  tags: base

rbac:
  create: false
  serviceAccountName: gitlab-runner

any ideas on how to solve this issue?

Answer 1

就我而言，我忘记为“gitlab-runner”集群角色授予对“serviceaccounts”资源的正确权限。

Answer 2

Ensure the role that is attached to your Gitlab runner has the following specification:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gitlab-runner
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "get", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["list", "get", "create", "delete", "update"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["list", "get", "create", "delete", "update"]
  - apiGroups: [""]
    resources: ["pods/attach"]
    verbs: ["list", "get", "create", "delete", "update"]
  - apiGroups: [""]
    resources: ["serviceaccounts"]
    verbs: ["list", "get", "create", "delete", "update"]