containerMode=kubernetes cant assume role in AWS #3672
Description
Checks
- I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
- I am using charts that are officially provided
Controller Version
0.9.3
Deployment Method
Helm
Checks
- This isn't a question or user support case (For Q&A and community support, go to Discussions).
- I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
To Reproduce
HI,
when you use the
,,,
containerMode:
type: "kubernetes"
,,,
Try to push some file to S3 " An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied"Describe the bug
the helm beaver is to create Service account and use it in RoleBinding its using its "new" role , this role dont have and will not have permissions , this issue is limit the use of the container and we cant push or use the pods to access aws serivces ( yes we can add access and secret ) but its missing the point of using roles
containerMode:
type: "kubernetes"i am not sure why we cant use are role that we set in the controller to all the workers ? , i did see in the "RoleBinding" you bind it to the " controller " service account but its transparent to the pods .
in my debug path it try to add the above to my pods
template:
spec:
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXXX:role/gha-runner
serviceAccountName: gha-runner
containers:
- name: runner
image: XXXXXXXXXX
imagePullPolicy: Always
command: ["/home/runner/run.sh"]
resources:
limits:
cpu: 2000m
memory: 8Gi
requests:
cpu: 1000m
memory: 4Gi
securityContext:
privileged: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: service
operator: In
values:
- gha-run
in this test i see the pods have all the access needs but its get access issues
Error: Error: The Service account needs the following permissions [{"group":"","verbs":["get","list","create","delete"],"resource":"pods","subresource":""},{"group":"","verbs":["get","create"],"resource":"pods","subresource":"exec"},{"group":"","verbs":["get","list","watch"],"resource":"pods","subresource":"log"},{"group":"batch","verbs":["get","list","create","delete"],"resource":"jobs","subresource":""},{"group":"","verbs":["create","delete","get","list"],"resource":"secrets","subresource":""}] on the pod resource in the 'gha-runner' namespace. Please contact your self hosted runner administrator.
i cant understand the error as its use the role that have all the access he needs ( i know its expecting different role ) i am not sure why i cant "overwrite " it
controler config
replicaCount: 1
image:
repository: "ghcr.io/actions/gha-runner-scale-set-controller"
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: ""
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::XXXXXXX:role/gha-runner"
name: "vu-dev-gha-runner"
flags:
logLevel: "debug"
logFormat: "json"
watchSingleNamespace: "gha-runner"
updateStrategy: "immediate"Describe the expected behavior
N/A
Additional Context
N/AController Logs
N/ARunner Pod Logs
N/A