K
Q

configmaps is forbidden error when attempting helm ls

12/5/2018
Error: configmaps is forbidden: User "system:serviceaccount:k8s-tiller:k8s-tiller" cannot list configmaps in the namespace "k8s-tiller": clusterrole.rbac.authorization.k8s.io "tiller" not found

Can someone explain this error? The "k8s-tiller": clusterrole.rbac.authorization.k8s.io "tiller" not found does not make sense to me. What is this meant to indicate?

Please ignore how to actually solve the error, I'm just looking for an explanation of it.

-- Chris Stryczynski
kubernetes
kubernetes-helm

Similar Questions

how to apply multi-command in the yaml?
Resource allocation to container in Kubernetes pods
Expose publicly Kubernetes service using deployment and LoadBalancer service
Resource limit breaching with Higher number of concurrent pods in Kubernetes
Kubernetes service account does not have assigned role?

2 Answers

12/5/2018

This error for RBAC( to know more about RBAC, see here).

Serviceaccount k8s-tiller in namespace k8s-tiller has no permission to list configmaps in namespace k8s-tiller. Also Clusterrole tiller does not exist in your cluster. The ClusterRoleBinding or RoleBinding you created for your serviceaccount k8s-tiller included ClusterRole tiller as roleRef. But that ClusterRole tiller does not exist.

-- nightfury1204
Source: StackOverflow
12/5/2018

I can confirm what nightfury is saying but you don't need to set a K8S Clusterrole, you just need to deploy a tiller for your namespace and give it the right Role/Rolebinding and Service Account

For deployment and History usage, you might prefer to deploy a tiller per K8S namespace to not override for example some deployments with the same name

So to do this:

Create an SA:

kubectl create sa tiller-deploy-sa

Create Role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: <Your_namespace>
  name: tiller-deploy-role
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

Please note that this role is not recommanded for PROD and used for example purposes only

kubectl apply -f <filename>.yml

Create Rolebinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tiller-deploy-rolebinding
  namespace: <Your_namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tiller-deploy-role
  namespace: <Your_namespace>
subjects:
- kind: ServiceAccount
  name: tiller-deploy-sa
  namespace: <Your_namespace>

Apply the file created

kubectl apply -f <filename>.yml

You can read more using K8S documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

-- hkhelil
Source: StackOverflow