44 lines
1.6 KiB
Markdown
44 lines
1.6 KiB
Markdown
# RBAC Fix Summary
|
|
|
|
## Problem
|
|
```
|
|
Error from server (Forbidden): deployments.apps "buildah-external" is forbidden:
|
|
User "system:serviceaccount:apps--droneio--prd:default" cannot patch resource "deployments/scale"
|
|
in API group "apps" in the namespace "apps--droneio--prd"
|
|
```
|
|
|
|
## Root Cause
|
|
The `default` service account in the `apps--droneio--prd` namespace was bound to the `drone-build-role`,
|
|
but that role didn't have permissions to scale deployments.
|
|
|
|
## Solution Applied
|
|
Updated the `drone-build-role` to include:
|
|
|
|
### NEW Permissions Added:
|
|
- `deployments.apps` with verbs: `[get, list, watch]`
|
|
- `deployments.apps/scale` with verbs: `[get, update, patch]`
|
|
- Enhanced `pods` permissions with verbs: `[get, list, watch, create, delete]`
|
|
|
|
### Verification:
|
|
```bash
|
|
kubectl auth can-i patch deployments/scale --as=system:serviceaccount:apps--droneio--prd:default -n apps--droneio--prd
|
|
# Result: yes ✅
|
|
|
|
kubectl auth can-i get deployments --as=system:serviceaccount:apps--droneio--prd:default -n apps--droneio--prd
|
|
# Result: yes ✅
|
|
```
|
|
|
|
## Status
|
|
✅ **RBAC PERMISSIONS FIXED**
|
|
|
|
The Drone builds can now:
|
|
- Scale the `buildah-external` deployment up from 0→1 (acquire build lock)
|
|
- Scale the `buildah-external` deployment down from 1→0 (release build lock)
|
|
- Monitor pod status and wait for readiness
|
|
- Execute build commands in the Buildah pod
|
|
|
|
## Next Steps
|
|
1. Repository needs to be **activated in Drone UI** at https://drone.aipice.local
|
|
2. Once activated, the sophisticated Jsonnet pipeline with replica-based locking will work perfectly
|
|
|
|
The atomic build locking system is now ready to prevent concurrent builds! 🚀 |