Couldn't be found at https://github.com/helm/helm/blob/master/docs/rbac.md , Is Tiller able to install chart on the other multiple namespaces?
I hope there is one Tiller on kube-system namespace and there are also multiple namespaces: namespaceA, namespaceB, namespaceC, ... .
Finally I hope I can deploy nginx to multiple namespaces like:
helm init --service-account tiller --tiller-namespace kube-system
helm install nginx --tiller-namespace kube-system --namespace namespaceA
helm install nginx --tiller-namespace kube-system --namespace namespaceB
I'd like to know if it is possible and how can Service Accounts, Roles and Role Bindings be set.
Thanks.
It can be done with clustetRoles instead of Roles, this way you can grant permissions in all namespaces. The clusterrole, clusterrolebinding and serviceaccount code would be:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-manager
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-binding
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: tiller-manager
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
If you only want to grant permissions to few namespaces, you should create a rolebinding in each namespace like this:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-binding
namespace: namespaceA
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: tiller-manager
apiGroup: rbac.authorization.k8s.io