I'm following the official Helm documentation for "Deploy Tiller in a namespace, restricted to deploying resources only in that namespace". Here is my bash script:
Namespace="$1"
kubectl create namespace $Namespace
kubectl create serviceaccount "tiller-$Namespace" --namespace $Namespace
kubectl create role "tiller-role-$Namespace" /
--namespace $Namespace /
--verb=* /
--resource=*.,*.apps,*.batch,*.extensions
kubectl create rolebinding "tiller-rolebinding-$Namespace" /
--namespace $Namespace /
--role="tiller-role-$Namespace" /
--serviceaccount="$Namespace:tiller-$Namespace"
helm init /
--service-account "tiller-$Namespace" /
--tiller-namespace $Namespace
--override "spec.template.spec.containers[0].command'='{/tiller,--storage=secret}"
--upgrade
--wait
Running helm upgrade
gives me the following error:
Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"
Is there a bug in the official documentation? Have I read it wrong?
I'm not sure about --resource
flag correct syntax in your script, whether asterisk symbols "*" are allowed here, look at this issue reported on GitHub.
$ kubectl create role "tiller-role-$Namespace" \
--namespace $Namespace \
--verb=* \
--resource=*.,*.apps,*.batch,*.extensions
the server doesn't have a resource type "*"
But you can check this role object in your cluster:
kubectl get role tiller-role-$Namespace -n $Namespace -o yaml
Otherwise, try to create the role for tiller
within yaml file as guided in the documentation:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
namespace: tiller-world
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
Moreover, keep in mind that if you have installed tiller
in the non-default namespace (default
), it is necessary to specify namespace where tiller
resides on, when you invoke Helm
command:
$ helm --tiller-namespace $Namespace version
Client: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}