Setting up Helm RBAC Per Namespace

11/15/2018

I'm following the official Helm documentation for "Deploy Tiller in a namespace, restricted to deploying resources only in that namespace". Here is my bash script:

Namespace="$1"

kubectl create namespace $Namespace
kubectl create serviceaccount "tiller-$Namespace" --namespace $Namespace
kubectl create role "tiller-role-$Namespace" /
    --namespace $Namespace /
    --verb=* /
    --resource=*.,*.apps,*.batch,*.extensions
kubectl create rolebinding "tiller-rolebinding-$Namespace" /
    --namespace $Namespace /
    --role="tiller-role-$Namespace" /
    --serviceaccount="$Namespace:tiller-$Namespace"
helm init /
    --service-account "tiller-$Namespace" /
    --tiller-namespace $Namespace
    --override "spec.template.spec.containers[0].command'='{/tiller,--storage=secret}"
    --upgrade
    --wait

Running helm upgrade gives me the following error:

Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

Is there a bug in the official documentation? Have I read it wrong?

-- Muhammad Rehan Saeed
kubernetes
kubernetes-helm
rbac

1 Answer

11/16/2018

I'm not sure about --resource flag correct syntax in your script, whether asterisk symbols "*" are allowed here, look at this issue reported on GitHub.

$ kubectl create role "tiller-role-$Namespace" \
--namespace $Namespace \
--verb=* \
--resource=*.,*.apps,*.batch,*.extensions
the server doesn't have a resource type "*"

But you can check this role object in your cluster:

kubectl get role tiller-role-$Namespace -n $Namespace -o yaml

Otherwise, try to create the role for tiller within yaml file as guided in the documentation:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-manager
  namespace: tiller-world
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]

Moreover, keep in mind that if you have installed tiller in the non-default namespace (default), it is necessary to specify namespace where tiller resides on, when you invoke Helm command:

$ helm --tiller-namespace $Namespace version
Client: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
-- mk_sta
Source: StackOverflow