0

I have an application that uses a database. I want to set up a GitLab CI/CD pipeline to deploy my app to a Kubernetes cluster. My issue right now is that I can't seem to get persistent storage to work. My thought processes are as follows:

Create a persistent Volume -> Create a persistent Volume Claim -> Mount that PVC to my pod running a database

I am running into the issue that a PV is a system-wide configuration, so GitLab can't seem to create one. If I manage to make A PV before deployment GitLab only allows me to work with objects within a specific namespace. This means the PVC won't see the PV I created when my pipeline is run.

manifest.yaml

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-sql0001
  labels:
    type: amazoneEBS
spec:
  capacity: 
    storage: 15Gi
  accessModes:
    - ReadWriteOnce
  awsElasticBlockStore:
    volumeID: <volume ID>
    fsType: ext4
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: sql-pvc
  labels:
    type: amazoneEBS
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 15Gi
  selector:
    matchLabels:
      type: "amazoneEBS"

kubectl Error

kubectl apply -f manifest.yaml
persistentvolumeclaim/sql-pvc created
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=persistentvolumes", GroupVersionKind: "/v1, Kind=PersistentVolume"
Name: "pv-sql0001", Namespace: ""
from server for: "manifest.yaml": persistentvolumes "pv-sql0001" is forbidden: User "system:serviceaccount:namespace:namespace-service-account" cannot get resource "persistentvolumes" in API group "" at the cluster scope

I tried what was recommended in @Rakesh Gupta post but I am still getting the same error. Unless I am misunderstanding.

eddy@DESKTOP-1MHAKBA:~$ kubectl describe  ClusterRole  stateful-site-26554211-CR --namespace=stateful-site-26554211-pr
Name:         stateful-site-26554211-CR
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources                      Non-Resource URLs  Resource Names  Verbs
  ---------                      -----------------  --------------  -----
  namespaces                     []                 []              [list watch create]
  nodes                          []                 []              [list watch create]
  persistentvolumes              []                 []              [list watch create]
  storageclasses.storage.k8s.io  []                 []              [list watch create]

eddy@DESKTOP-1MHAKBA:~$ kubectl describe  ClusterRoleBinding  stateful-site-26554211-CRB --namespace=stateful-site-26554211-production
Name:         stateful-site-26554211-CRB
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  stateful-site-26554211-CR
Subjects:
  Kind            Name                                               Namespace
  ----            ----                                               ---------
  ServiceAccount  stateful-site-26554211-production-service-account  stateful-site-26554211-production

Any insight into how I should do this would be appreciated. I might just be doing this all wrong, and maybe there is a better way. I will be around to answer any questions.

IdecEddy
  • 87
  • 1
  • 16
  • 3
    If you use AWS EBS, you typically don't need to create a `PV`, but just the `PVC`. – Jonas May 28 '21 at 20:42
  • @Jonas I can test this but how will my `PVC` know where to connect to. I haven't seen any documentation where they describe how to define the volume ID and File System Type. – IdecEddy May 28 '21 at 20:45
  • 1
    Your cluster should be running a [volume provisioner](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#dynamic) that automatically creates the PersistentVolume for you. – David Maze May 28 '21 at 22:06
  • @IdecEddy PVC should handle it for you. – Rakesh Gupta May 28 '21 at 22:06
  • What about the result of running `kubectl auth can-i get pv` ? When running `kubectl` you're not using SA `stateful-site-26554211-production-service-account`. Note that the error says: `persistentvolumes "pv-sql0001" is forbidden: User "system:serviceaccount:namespace:namespace-service-account" cannot get resource "persistentvolumes" in API group "" at the cluster scope`. It looks like for some reason your user is set to `"system:serviceaccount:namespace:namespace-service-account"`. – mario May 31 '21 at 16:59

1 Answers1

0

You need to create a ServiceAccount, ClusterRole and ClusterRoleBinding as PV, PVC, Nodes are cluster scoped objects.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: <name of your cluster role>
rules:
- apiGroups: [""]
  resources:
  - nodes
  - persistentvolumes
  - namespaces
  verbs: ["list", "watch", "create"]
- apiGroups: ["storage.k8s.io"]
  resources:
  - storageclasses
  verbs: ["list", "watch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: <name of your cluster role binding>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: <name of your cluster role which should be matched with the previous one>
subjects:
  - kind: ServiceAccount
    name: <service account name>

Reference: https://stackoverflow.com/a/60617584/2777988

If this does not work, you may try to remove "PersistentVolume" section from your yaml. Looks like your setup doesn't allow PersistentVolume creation. Howerver, PVC may in turn create a PV.

Rakesh Gupta
  • 3,507
  • 3
  • 18
  • 24
  • I tried what you recommended but I am still getting the same error. I updated my answer with some more details. Mostly the output of the description for the `CRB` and `CR` we created. – IdecEddy May 28 '21 at 21:11
  • 1
    add create to the verbs array like verbs: ["list", "watch", "create"] and retry – Rakesh Gupta May 28 '21 at 21:25
  • I added the create flag to the verbs and it still gives me the same error. I updated my answer to show the new descriptions. – IdecEddy May 28 '21 at 21:44
  • Next, you should try to remove "PersistentVolume" section from your yaml. Looks like your setup doesn't allow PersistentVolume creation. Howerver, PVC may in turn create a PV. give it a shot. – Rakesh Gupta May 28 '21 at 22:03