Don't have permission to view all the namespaces in the cluster
I tried to add gitlab-agent to the environment and select the namespace and flux customization there, but I get errors
I'm using the Gitlab hosted version of Self-Manager on Kubernetes.
Install command gitlab-agent
helm upgrade --install h gitlab/gitlab-agent \
--namespace gitlab-agent-h \
--create-namespace \
--set image.tag=v17.2.2 \
--set config.token=token \
--set config.kasAddress=wss://kas.domain.com
Configuration gitlab-agent to path .gitlab/agents/my-agent/config.yaml in repository
user_access:
access_as:
agent: {}
groups:
- id: LearnHub
- id: LearnHub/Frontend
- id: LearnHub/Identity
ci_access:
groups:
- id: LearnHub
- id: LearnHub/Frontend
- id: LearnHub/Identity
Install command flux
flux bootstrap gitlab \
--hostname=gitlab.domain.com \
--owner=Flux-LearnHub \
--repository=Flux \
--branch=main \
--path=clusters/production \
--deploy-token-auth
Adding a repository
flux create source git learnhub-mainpage \
--url=https://gitlab.domain.com/learnhub/frontend/mainpage.git \
--branch=main \
--interval=1m \
--namespace=flux-system \
--username=username \
--password=token
flux create kustomization learnhub-mainpage-kustomization \
--source=GitRepository/learnhub-mainpage.flux-system \
--path="./manifests" \
--prune=true \
--interval=5m \
--namespace=flux-system
And I don’t see Flux customization or namespace in the selection
I tried to manually grant the gitlab-agent cluster admin role for testing
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-agent-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: learnhub-gitlab-agent # name ServiceAccount
namespace: gitlab-agent
And I made sure that gitlab-agent has rights to all namespaces, but still nothing appears in the list, tell me how to fix this.
I also noticed that all requests that access gitlab kas return with error 401, and this specifically applies to those requests for which I created a question.
https://kas.domain.com/k8s-proxy/api/v1/namespaces
https://kas.domain.com/k8s-proxy/apis/kustomize.toolkit.fluxcd.io/v1/namespaces/gitlab-agent/kustomizations
https://kas.domain.com/k8s-proxy/apis/helm.toolkit.fluxcd.io/v2beta1/namespaces/gitlab-agent/helmreleases
General answer
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "GitLab Agent Server: Unauthorized: no valid credentials provided",
"reason": "Unauthorized",
"code": 401
}
In my case there was a problem with separation domains as stated in the answer, the solution of merging the domain above kas.domain.com and gitlab.domain.com into 1 domain helped me. And in this case, the request will correspond to this url.
https://gitlab.domain.com/k8s-proxy/api/v1/namespaces
Instead
https://kas.domain.com/k8s-proxy/api/v1/namespaces
The problem I had was that if I just had 2 ingress that are responsible for gitlab and kas, the web server would access the old domain and get a 404. This was fixed by such parameters when updating gitlab.
--set global.hosts.kas.name=gitlab.domain.com
helm chart kas built into helm chart gitlab
And after the above action, we change the ingress by merging 2 domains into 1 and we get something similar.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitlab-ingress
namespace: gitlab
annotations:
cert-manager.io/issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
rules:
- host: gitlab.domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitlab-webservice-default
port:
number: 8181
- path: /k8s-proxy/
pathType: Prefix
backend:
service:
name: gitlab-kas
port:
number: 8154
- path: /kas
pathType: Prefix
backend:
service:
name: gitlab-kas
port:
number: 8150
tls:
- hosts:
- gitlab.domain.com
secretName: gitlab-tls
- Argocd application resource stuck at deletion
- Trying to create a namespace in an AWS EKS cluster with kubectl - Getting: Error from server (Forbidden): namespaces is forbidden
- Invalid resource manager ID in primary checkpoint record
- Don't have permission to view all the namespaces in the cluster
- Minikube single node cluster architecture
- Kubectl error: memcache.go:265] couldn’t get current server API group list: Get
- why does controller-runtime say resource 'not found' while updating resource that exists?
- Tailing few lines from huge logs of kubectl logs -f
- “kubectl exec” results in "error: unable to upgrade connection: pod does not exist"
- Ability to add exception to RKE2 securitypolicy for root pods or specific namespace
- why kubectl run onfail1 --image=alpine --restart=OnFailure -- exit 0, pod status=CrashLoopBackOff, i think should be completed
- Kubernetes - display current pods vs. capacity with kubectl
- Can Kubernetes secrets store newlines?
- Docker desktop - kubernetes failed to start
- Cannot access container from NodePort using Kubernetes ingress istio
- kubectl not working on my windows 10 machine
- How can I fix Edit cancelled, no changes made in shell
- increase proxy_send_timeout and proxy_read_timeout ingress nginx
- Kubernetes memory limit : Containers with and without memory limit on same pod
- Is there a way to specify which values file to use in a helm chart
- Private Registry for Action Pods in Openwhisk deployed on Kubernetes through helm 3
- Kubernetes stateful sets storage in AWS EBM with Helm
- Helm3 Using Lookup Function to Load a Variable
- Execute bash command in pod with kubectl?
- How do I get the External IP of a Kubernetes service as a raw value?
- Terminate istio-proxy after cronjob completion
- Allocated Resources percentage in "kubectl top node"
- How to solve helm error: "did not find expected '-' indicator"?
- kubectl command to patch a specific attribute in kubernetes storage class
- pega-web-tomcat container not starting with | Problem during method invocation (doPostInner)