passing service-account flag gives the message there isn't a valid docker environment

[Daniel-Jacob]

I am trying to setup kubedock. When i don't pass the service account flag I run into the issue that the basic service account doesn't have privileges to create the pod. When i pass the service account flag in a gitlab pipeline like this:

services:

• name: some-kubedock-image # --> official image
  command: ["server", "--reverse-proxy", "--service-account my-serviceaccount"]

it throws the exception that no valid docker environment can be found. Docker is not installed on our cluster. We use job to build images and push them to kubernetes.

[joyrex2001]

I think the error is in the arguments:
["server", "--reverse-proxy", "--service-account my-serviceaccount"] should be ["server", "--reverse-proxy", "--service-account", "my-serviceaccount"]

[Daniel-Jacob]

I just tried but i am still getting the following exception:

com.github.dockerjava.api.exception.InternalServerErrorException: Status 500: {"message":"pods is forbidden: User "system:serviceaccount:namespace:default" cannot create resource "pods" in API group "" in the namespace "namespace""}

It doesn't seem to be setting the service account.

[joyrex2001]

The service account argument makes sure the pods that are created by kubedock hade the specified service account configured. Your error is about kubedock itself not having the permissions of creating pods. The token kubedock is using, should have the proper rbac as well.

[Daniel-Jacob]

true, but i see in the logs it is grabbing the default service account and not the one i specified. I have created a service account with the rbac permissions and tied the permissions to the service account.

[Sgitario]

The same happens to me. I passed the service-account with the valid arguments:

apiVersion: v1
kind: Pod
spec:
  containers:
    - name: kubedock
      image: kubedock
      imagePullPolicy: Always
      tty: true
      args:
       - server
       - --port-forward
       # Verbosity level which is helpful to troubleshot issues when starting up containers
       - -v
       - 10
       # Service account from jenkins cluster having port-forward permissions
       - --service-account
       - my-service-account

I do see my service account is used at start:

> start log of container 'kubedock' in pod 'xxx'
I0109 05:57:09.910060       1 main.go:29] kubedock 0.17.0 (20240802-191436) / kubedock.id=c40cdbaf9bd9
I0109 05:57:09.910767       1 main.go:109] kubernetes config: namespace=dno--jenkins-csb-smqe, initimage=joyrex2001/kubedock:0.17.0, dindimage=joyrex2001/kubedock:0.17.0, ready timeout=1m0s
I0109 05:57:09.910988       1 main.go:118] kubedock url: http://172.19.6.154:2475/
I0109 05:57:09.911558       1 main.go:165] reaper started with max container age 1h0m0s
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:	export GIN_MODE=release
 - using code:	gin.SetMode(gin.ReleaseMode)
I0109 05:57:09.911682       1 main.go:96] port-forwarding services to 127.0.0.1
I0109 05:57:09.912224       1 main.go:128] default image pull policy: ifnotpresent
I0109 05:57:09.912594       1 main.go:131] service account used in deployments: my-service-account
I0109 05:57:09.912614       1 main.go:134] pod name prefix: kubedock
I0109 05:57:09.912644       1 main.go:138] using namespace: dno--jenkins-csb-smqe

But when trying to use it, it fails with:

E0109 06:03:09.039864       1 deploy.go:194] port-forward failed: error upgrading connection: pods "kubedock-96498797e1db" is forbidden: User "system:serviceaccount:dno--jenkins-csb-smqe:default" cannot create resource "pods/portforward" in API group "" in the namespace "dno--jenkins-csb-smqe"

Note that dno--jenkins-csb-smqe is used instead of my-service-account.

[joyrex2001]

See also: #122 (comment)