i have set up a two node kops cluster. Where i have installed helm tool.
I created my own application specific helm package and installed it through helm and everything works fine.
but when i tried to install nginx through stable helm charts(as specified in standard instructions) i am getting below error,
root@ip-172-31-27-86:~/helm# helm install --name my-nginx stable/nginx-ingress
Error: release tinseled-billygoat failed: clusterroles.rbac.authorization.k8s.io "tinseled-billygoat-nginx-ingress" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["patch"]} PolicyRule{Resources:["ingresses/status"], APIGroups:["extensions"], Verbs:["update"]}] user=&{system:serviceaccount:kube-system:default bdf8f2bc-84e2-11e8-8fa3-02f0fae19e8e [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]
helm list, containing chart details.
root@ip-172-31-27-86:/home/appHome/HelmPackages# helm list
NAME REVISION UPDATED STATUS CHART NAMESPACE
my-nginx 1 Wed Jul 11 11:02:37 2018 FAILED nginx-ingress-0.22.1 default
nodeapp1 1 Wed Jul 11 10:36:23 2018 DEPLOYED nodeapp-helm-0.1.0 default
It seems some kind of rbac issue, however i had successfully deployed nginx similary before. But now i am facing this for first time, So not exactly sure where it might be wrong.
Any help appreciated
I tried by re-installing helm with service account,
kubectl create serviceaccount --namespace kube-system tiller kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller helm init --service-account tiller
yet, it was not helpful still faced the same issue.
But as a quick fix for test env, i set this property while installing nginx
--set rbac.create=false
and now Nginx is working fine, but this is not recommended for production servers.
helm install --name my-nginx stable/nginx-ingress --set rbac.create=false
Sounds like your helm service account does not have some privileges granted that your nginx ingress chart tries to create. RBAC does not allow creation of particular access if user that is doing so does not have this access on it's own, which is pretty logical for avoiding privilege escalation when delegating access.