I have the same problem, and finally solved the problem by change the network configuration of Calico, change the network to: 172.16.0.0/16 both in Calico deployment and Kubeadm init configuration file, not sure why the default network (192.168.0.0/16) not work, and my local network is 192.168.200.0, hope this can help who has same promblem.

The issue on GitHub looks pretty close to your case.

The solution provided by fossxplorer and improved by johnhamelink is to set automountServiceAccountToken parameter to "true" in the tiller deployment:

$ kubectl -n kube-system patch deployment tiller-deploy -p '{"spec": {"template": {"spec": {"automountServiceAccountToken": true}}}}'

If after that you have the following error:

Error: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

you should create ClusterRoleBinding for service account kube-system:default

$ kubectl --namespace=kube-system create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default

I recommend to create separate service account and select it during Helm initialization:

$ kubectl create serviceaccount --namespace kube-system tiller
$ kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
$ helm init --service-account tiller

If you want secure Helm installation please follow the manual.