actions
[gha-runner-scale-set] Missing annotations on no permission service account
Checks
- [X] I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
- [X] I am using charts that are officially provided
Controller Version
0.9.1
Deployment Method
Helm
Checks
- [X] This isn't a question or user support case (For Q&A and community support, go to Discussions).
- [X] I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
To Reproduce
1. Check the in the gha-runner-scale-set chart, there's no way to set custom annotations in `values.yaml` for the `no_permission_serviceaccount.yaml` template.
Describe the bug
We would like to have the ability to set custom annotations on the no_permission_serviceaccount for our gha runner scale sets. This can be needed in some Google Workload Identity setups:
iam.gke.io/gcp-service-account=IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com
Source: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#kubernetes-sa-to-iam
Describe the expected behavior
N/A
Additional Context
N/A
Controller Logs
N/A
Runner Pod Logs
N/A
Hello! Thank you for filing an issue.
The maintainers will triage your issue shortly.
In the meantime, please take a look at the troubleshooting guide for bug reports.
If this is a feature request, please review our contribution guidelines.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@noamgreen
As a workaround, I created another service account with the desired annotations in the same namespace and configured the template in gha-runner-scale-set to use it instead.
# Doc: https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml
template:
spec:
serviceAccount: custom-k8s-sa-name
serviceAccountName: custom-k8s-sa-name
YES i just test your commit and same issues i cant get any access "kubernetes" mode ammm no sure you can do that in same pod ... i dont understand the change GitHub did ?? what thy think i run the job local and do what ??
this is the resources i have after i use the commit you add (no change )
after i add the serivceAccountName
its disturbing the Rolebinding and you will get a lovely so if you look when pod get up he get some "SA" generated from the AutoscalingRunnerSet ''' Error: Error: The Service account needs the following permissions [{"group":"","verbs":["get","list","create","delete"],"resource":"pods","subresource":""},{"group":"","verbs":["get","create"],"resource":"pods","subresource":"exec"},{"group":"","verbs":["get","list","watch"],"resource":"pods","subresource":"log"},{"group":"batch","verbs":["get","list","create","delete"],"resource":"jobs","subresource":""},{"group":"","verbs":["create","delete","get","list"],"resource":"secrets","subresource":""}] on the pod resource in the 'gha-runner' namespace. Please contact your self hosted runner administrator. ''' so i think you need to add the ServiceName in what you did and i am now try to find what to add the one more service account
